deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

key trust updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2022-11-17 17:28:32 -05:00
parent 77eaa033f9
commit 35652b7eeb
8 changed files with 73 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -1,13 +1,7 @@
---
title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: erikdau
ms.collection:
- M365-identity-device-management
- ContentEngagementFY23
ms.topic: how-to
localizationpriority: medium

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -184,7 +184,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
## Hybrid deployment
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
### Related to hybrid deployment

4
windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
View File

@ -4,11 +4,11 @@ description: How to Prepare and Deploy Windows Server 2016 Active Directory Fede
ms.date: 08/19/2018
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<b>On-premises deployment</b>
-<b>Key trust</b>
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.

9
windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
View File

@ -4,15 +4,14 @@ description: Configure Windows Hello for Business Policy settings for Windows He
ms.date: 08/19/2018
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<b>On-premises deployment</b>
-<b>Key trust</b>
---
# Configure Windows Hello for Business Policy settings - Key Trust
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business

4
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
View File

@ -4,11 +4,11 @@ description: How to Validate Active Directory prerequisites for Windows Hello fo
ms.date: 08/19/2018
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<b>On-premises deployment</b>
-<b>Key trust</b>
---
# Validate Active Directory prerequisites - Key Trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
> [!NOTE]

4
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
View File

@ -4,11 +4,11 @@ description: How to Validate and Deploy Multifactor Authentication (MFA) Service
ms.date: 08/19/2018
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<b>On-premises deployment</b>
-<b>Key trust</b>
---
# Validate and Deploy Multifactor Authentication (MFA)
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

4
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -4,11 +4,11 @@ description: How to Validate Public Key Infrastructure for Windows Hello for Bus
ms.date: 08/19/2018
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<b>On-premises deployment</b>
-<b>Key trust</b>
---
# Validate and Configure Public Key Infrastructure - Key Trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
## Deploy an enterprise certificate authority

100
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -2,12 +2,12 @@
href: index.yml
- name: Overview
items:
- name: Windows Hello for Business Overview
- name: Windows Hello for Business overview
href: hello-overview.md
- name: Concepts
expanded: true
items:
- name: Passwordless Strategy
- name: Passwordless strategy
href: passwordless-strategy.md
- name: Why a PIN is better than a password
href: hello-why-pin-is-better-than-password.md
@ -15,7 +15,7 @@
href: hello-biometrics-in-enterprise.md
- name: How Windows Hello for Business works
href: hello-how-it-works.md
- name: Technical Deep Dive
- name: Technical deep dive
items:
- name: Provisioning
href: hello-how-it-works-provisioning.md
@ -25,93 +25,93 @@
href: webauthn-apis.md
- name: How-to Guides
items:
- name: Windows Hello for Business Deployment Overview
- name: Windows Hello for Business deployment overview
href: hello-deployment-guide.md
- name: Planning a Windows Hello for Business Deployment
- name: Planning a Windows Hello for Business deployment
href: hello-planning-guide.md
- name: Deployment Prerequisite Overview
- name: Deployment prerequisite overview
href: hello-identity-verification.md
- name: Prepare people to use Windows Hello
href: hello-prepare-people-to-use.md
- name: Deployment Guides
- name: Deployment guides
items:
- name: Hybrid Cloud Kerberos Trust Deployment
- name: Hybrid cloud Kerberos trust deployment
href: hello-hybrid-cloud-kerberos-trust.md
- name: Hybrid Azure AD Joined Key Trust
- name: Azure AD join
items:
- name: Hybrid Azure AD Joined Key Trust Deployment
- name: Cloud-only deployment
href: hello-aad-join-cloud-only-deploy.md
- name: On-premises SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
- name: Configure Azure AD joined devices for on-premises SSO
href: hello-hybrid-aadj-sso-base.md
- name: Using certificates for on-premises SSO
href: hello-hybrid-aadj-sso-cert.md
- name: Hybrid Azure AD join with key trust
items:
- name: Key trust deployment
href: hello-hybrid-key-trust.md
- name: Prerequisites
href: hello-hybrid-key-trust-prereqs.md
- name: New Installation Baseline
- name: New installation baseline
href: hello-hybrid-key-new-install.md
- name: Configure Directory Synchronization
- name: Configure directory synchronization
href: hello-hybrid-key-trust-dirsync.md
- name: Configure Azure Device Registration
- name: Configure Azure AD device registration
href: hello-hybrid-key-trust-devreg.md
- name: Configure Windows Hello for Business settings
href: hello-hybrid-key-whfb-settings.md
- name: Sign-in and Provisioning
- name: Sign-in and provisioning
href: hello-hybrid-key-whfb-provision.md
- name: Hybrid Azure AD Joined Certificate Trust
- name: Hybrid Azure AD join with certificate trust
items:
- name: Hybrid Azure AD Joined Certificate Trust Deployment
- name: Certificate trust deployment
href: hello-hybrid-cert-trust.md
- name: Prerequisites
href: hello-hybrid-cert-trust-prereqs.md
- name: New Installation Baseline
- name: New installation baseline
href: hello-hybrid-cert-new-install.md
- name: Configure Azure Device Registration
- name: Configure Azure AD device registration
href: hello-hybrid-cert-trust-devreg.md
- name: Configure Windows Hello for Business settings
href: hello-hybrid-cert-whfb-settings.md
- name: Sign-in and Provisioning
- name: Sign-in and provisioning
href: hello-hybrid-cert-whfb-provision.md
- name: On-premises SSO for Azure AD Joined Devices
- name: Active Directory domain join with key trust
items:
- name: On-premises SSO for Azure AD Joined Devices Deployment
href: hello-hybrid-aadj-sso.md
- name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
href: hello-hybrid-aadj-sso-base.md
- name: Using Certificates for AADJ On-premises Single-sign On
href: hello-hybrid-aadj-sso-cert.md
- name: On-premises Key Trust
items:
- name: On-premises Key Trust Deployment
- name: Key trust deployment
href: hello-deployment-key-trust.md
- name: Validate Active Directory Prerequisites
- name: Validate Active Directory prerequisites
href: hello-key-trust-validate-ad-prereq.md
- name: Validate and Configure Public Key Infrastructure
- name: Validate and configure Public Key Infrastructure (PKI)
href: hello-key-trust-validate-pki.md
- name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
- name: Prepare and deploy Active Directory Federation Services (AD FS)
href: hello-key-trust-adfs.md
- name: Validate and Deploy Multi-factor Authentication (MFA) Services
- name: Validate and deploy multi-factor authentication (MFA) services
href: hello-key-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-key-trust-policy-settings.md
- name: On-premises Certificate Trust
- name: Active Directory domain join with certificate trust
items:
- name: On-premises Certificate Trust Deployment
- name: Certificate trust deployment
href: hello-deployment-cert-trust.md
- name: Validate Active Directory Prerequisites
- name: Validate Active Directory prerequisites
href: hello-cert-trust-validate-ad-prereq.md
- name: Validate and Configure Public Key Infrastructure
- name: Validate and configure Public Key Infrastructure (PKI)
href: hello-cert-trust-validate-pki.md
- name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
href: hello-cert-trust-adfs.md
- name: Validate and Deploy Multi-factor Authentication (MFA) Services
- name: Validate and deploy multi-factor authentication (MFA) services
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- name: Azure AD join cloud only deployment
href: hello-aad-join-cloud-only-deploy.md
- name: Managing Windows Hello for Business in your organization
href: hello-manage-in-organization.md
- name: Deploying Certificates to Key Trust Users to Enable RDP
- name: Deploy certificates for RDP sign-in
href: hello-deployment-rdp-certs.md
- name: Windows Hello for Business Features
- name: Manage Windows Hello for Business in your organization
href: hello-manage-in-organization.md
- name: Windows Hello for Business features
items:
- name: Conditional Access
- name: Conditional access
href: hello-feature-conditional-access.md
- name: PIN Reset
href: hello-feature-pin-reset.md
@ -121,13 +121,13 @@
href: hello-feature-dynamic-lock.md
- name: Multi-factor Unlock
href: feature-multifactor-unlock.md
- name: Remote Desktop
- name: Remote desktop (RDP) sign-in
href: hello-feature-remote-desktop.md
- name: Troubleshooting
items:
- name: Known Deployment Issues
- name: Known deployment issues
href: hello-deployment-issues.md
- name: Errors During PIN Creation
- name: Errors during PIN creation
href: hello-errors-during-pin-creation.md
- name: Event ID 300 - Windows Hello successfully created
href: hello-event-300.md
@ -135,7 +135,7 @@
href: hello-and-password-changes.md
- name: Reference
items:
- name: Technology and Terminology
- name: Technology and terminology
href: hello-how-it-works-technology.md
- name: Frequently Asked Questions (FAQ)
href: hello-faq.yml