mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 21:33:38 +00:00
key trust updates
This commit is contained in:
Paolo Matarazzo
@ -1,13 +1,7 @@
|
||||
---
|
||||
title: Deploy certificates for remote desktop sign-in
|
||||
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
|
||||
ms.prod: windows-client
|
||||
author: paolomatarazzo
|
||||
ms.author: paoloma
|
||||
manager: aaroncz
|
||||
ms.reviewer: erikdau
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
- ContentEngagementFY23
|
||||
ms.topic: how-to
|
||||
localizationpriority: medium
|
||||
|
||||
@ -184,7 +184,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
|
||||
|
||||
## Hybrid deployment
|
||||
|
||||
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
|
||||
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
|
||||
|
||||
### Related to hybrid deployment
|
||||
|
||||
|
||||
@ -4,11 +4,11 @@ description: How to Prepare and Deploy Windows Server 2016 Active Directory Fede
|
||||
ms.date: 08/19/2018
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
|
||||
- ✅ <b>On-premises deployment</b>
|
||||
- ✅ <b>Key trust</b>
|
||||
---
|
||||
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
|
||||
|
||||
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
|
||||
|
||||
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
|
||||
|
||||
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
|
||||
|
||||
@ -4,15 +4,14 @@ description: Configure Windows Hello for Business Policy settings for Windows He
|
||||
ms.date: 08/19/2018
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
|
||||
- ✅ <b>On-premises deployment</b>
|
||||
- ✅ <b>Key trust</b>
|
||||
---
|
||||
# Configure Windows Hello for Business Policy settings - Key Trust
|
||||
|
||||
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
|
||||
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
|
||||
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
|
||||
|
||||
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
|
||||
To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
|
||||
|
||||
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
|
||||
|
||||
On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business
|
||||
|
||||
|
||||
@ -4,12 +4,12 @@ description: How to Validate Active Directory prerequisites for Windows Hello fo
|
||||
ms.date: 08/19/2018
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
|
||||
- ✅ <b>On-premises deployment</b>
|
||||
- ✅ <b>Key trust</b>
|
||||
---
|
||||
# Validate Active Directory prerequisites - Key Trust
|
||||
|
||||
Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
|
||||
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
|
||||
|
||||
Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
|
||||
|
||||
> [!NOTE]
|
||||
>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
|
||||
|
||||
@ -4,11 +4,11 @@ description: How to Validate and Deploy Multifactor Authentication (MFA) Service
|
||||
ms.date: 08/19/2018
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
|
||||
- ✅ <b>On-premises deployment</b>
|
||||
- ✅ <b>Key trust</b>
|
||||
---
|
||||
# Validate and Deploy Multifactor Authentication (MFA)
|
||||
|
||||
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
|
||||
|
||||
> [!IMPORTANT]
|
||||
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
|
||||
|
||||
|
||||
@ -4,11 +4,11 @@ description: How to Validate Public Key Infrastructure for Windows Hello for Bus
|
||||
ms.date: 08/19/2018
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
|
||||
- ✅ <b>On-premises deployment</b>
|
||||
- ✅ <b>Key trust</b>
|
||||
---
|
||||
# Validate and Configure Public Key Infrastructure - Key Trust
|
||||
|
||||
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
|
||||
|
||||
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
|
||||
|
||||
## Deploy an enterprise certificate authority
|
||||
|
||||
@ -2,12 +2,12 @@
|
||||
href: index.yml
|
||||
- name: Overview
|
||||
items:
|
||||
- name: Windows Hello for Business Overview
|
||||
- name: Windows Hello for Business overview
|
||||
href: hello-overview.md
|
||||
- name: Concepts
|
||||
expanded: true
|
||||
items:
|
||||
- name: Passwordless Strategy
|
||||
- name: Passwordless strategy
|
||||
href: passwordless-strategy.md
|
||||
- name: Why a PIN is better than a password
|
||||
href: hello-why-pin-is-better-than-password.md
|
||||
@ -15,7 +15,7 @@
|
||||
href: hello-biometrics-in-enterprise.md
|
||||
- name: How Windows Hello for Business works
|
||||
href: hello-how-it-works.md
|
||||
- name: Technical Deep Dive
|
||||
- name: Technical deep dive
|
||||
items:
|
||||
- name: Provisioning
|
||||
href: hello-how-it-works-provisioning.md
|
||||
@ -25,93 +25,93 @@
|
||||
href: webauthn-apis.md
|
||||
- name: How-to Guides
|
||||
items:
|
||||
- name: Windows Hello for Business Deployment Overview
|
||||
- name: Windows Hello for Business deployment overview
|
||||
href: hello-deployment-guide.md
|
||||
- name: Planning a Windows Hello for Business Deployment
|
||||
- name: Planning a Windows Hello for Business deployment
|
||||
href: hello-planning-guide.md
|
||||
- name: Deployment Prerequisite Overview
|
||||
- name: Deployment prerequisite overview
|
||||
href: hello-identity-verification.md
|
||||
- name: Prepare people to use Windows Hello
|
||||
href: hello-prepare-people-to-use.md
|
||||
- name: Deployment Guides
|
||||
- name: Deployment guides
|
||||
items:
|
||||
- name: Hybrid Cloud Kerberos Trust Deployment
|
||||
- name: Hybrid cloud Kerberos trust deployment
|
||||
href: hello-hybrid-cloud-kerberos-trust.md
|
||||
- name: Hybrid Azure AD Joined Key Trust
|
||||
- name: Azure AD join
|
||||
items:
|
||||
- name: Hybrid Azure AD Joined Key Trust Deployment
|
||||
- name: Cloud-only deployment
|
||||
href: hello-aad-join-cloud-only-deploy.md
|
||||
- name: On-premises SSO for Azure AD joined devices
|
||||
href: hello-hybrid-aadj-sso.md
|
||||
- name: Configure Azure AD joined devices for on-premises SSO
|
||||
href: hello-hybrid-aadj-sso-base.md
|
||||
- name: Using certificates for on-premises SSO
|
||||
href: hello-hybrid-aadj-sso-cert.md
|
||||
- name: Hybrid Azure AD join with key trust
|
||||
items:
|
||||
- name: Key trust deployment
|
||||
href: hello-hybrid-key-trust.md
|
||||
- name: Prerequisites
|
||||
href: hello-hybrid-key-trust-prereqs.md
|
||||
- name: New Installation Baseline
|
||||
- name: New installation baseline
|
||||
href: hello-hybrid-key-new-install.md
|
||||
- name: Configure Directory Synchronization
|
||||
- name: Configure directory synchronization
|
||||
href: hello-hybrid-key-trust-dirsync.md
|
||||
- name: Configure Azure Device Registration
|
||||
- name: Configure Azure AD device registration
|
||||
href: hello-hybrid-key-trust-devreg.md
|
||||
- name: Configure Windows Hello for Business settings
|
||||
href: hello-hybrid-key-whfb-settings.md
|
||||
- name: Sign-in and Provisioning
|
||||
- name: Sign-in and provisioning
|
||||
href: hello-hybrid-key-whfb-provision.md
|
||||
- name: Hybrid Azure AD Joined Certificate Trust
|
||||
- name: Hybrid Azure AD join with certificate trust
|
||||
items:
|
||||
- name: Hybrid Azure AD Joined Certificate Trust Deployment
|
||||
- name: Certificate trust deployment
|
||||
href: hello-hybrid-cert-trust.md
|
||||
- name: Prerequisites
|
||||
href: hello-hybrid-cert-trust-prereqs.md
|
||||
- name: New Installation Baseline
|
||||
- name: New installation baseline
|
||||
href: hello-hybrid-cert-new-install.md
|
||||
- name: Configure Azure Device Registration
|
||||
- name: Configure Azure AD device registration
|
||||
href: hello-hybrid-cert-trust-devreg.md
|
||||
- name: Configure Windows Hello for Business settings
|
||||
href: hello-hybrid-cert-whfb-settings.md
|
||||
- name: Sign-in and Provisioning
|
||||
- name: Sign-in and provisioning
|
||||
href: hello-hybrid-cert-whfb-provision.md
|
||||
- name: On-premises SSO for Azure AD Joined Devices
|
||||
- name: Active Directory domain join with key trust
|
||||
items:
|
||||
- name: On-premises SSO for Azure AD Joined Devices Deployment
|
||||
href: hello-hybrid-aadj-sso.md
|
||||
- name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
|
||||
href: hello-hybrid-aadj-sso-base.md
|
||||
- name: Using Certificates for AADJ On-premises Single-sign On
|
||||
href: hello-hybrid-aadj-sso-cert.md
|
||||
- name: On-premises Key Trust
|
||||
items:
|
||||
- name: On-premises Key Trust Deployment
|
||||
- name: Key trust deployment
|
||||
href: hello-deployment-key-trust.md
|
||||
- name: Validate Active Directory Prerequisites
|
||||
- name: Validate Active Directory prerequisites
|
||||
href: hello-key-trust-validate-ad-prereq.md
|
||||
- name: Validate and Configure Public Key Infrastructure
|
||||
- name: Validate and configure Public Key Infrastructure (PKI)
|
||||
href: hello-key-trust-validate-pki.md
|
||||
- name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
|
||||
- name: Prepare and deploy Active Directory Federation Services (AD FS)
|
||||
href: hello-key-trust-adfs.md
|
||||
- name: Validate and Deploy Multi-factor Authentication (MFA) Services
|
||||
- name: Validate and deploy multi-factor authentication (MFA) services
|
||||
href: hello-key-trust-validate-deploy-mfa.md
|
||||
- name: Configure Windows Hello for Business policy settings
|
||||
href: hello-key-trust-policy-settings.md
|
||||
- name: On-premises Certificate Trust
|
||||
- name: Active Directory domain join with certificate trust
|
||||
items:
|
||||
- name: On-premises Certificate Trust Deployment
|
||||
- name: Certificate trust deployment
|
||||
href: hello-deployment-cert-trust.md
|
||||
- name: Validate Active Directory Prerequisites
|
||||
- name: Validate Active Directory prerequisites
|
||||
href: hello-cert-trust-validate-ad-prereq.md
|
||||
- name: Validate and Configure Public Key Infrastructure
|
||||
- name: Validate and configure Public Key Infrastructure (PKI)
|
||||
href: hello-cert-trust-validate-pki.md
|
||||
- name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
|
||||
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
|
||||
href: hello-cert-trust-adfs.md
|
||||
- name: Validate and Deploy Multi-factor Authentication (MFA) Services
|
||||
- name: Validate and deploy multi-factor authentication (MFA) services
|
||||
href: hello-cert-trust-validate-deploy-mfa.md
|
||||
- name: Configure Windows Hello for Business policy settings
|
||||
href: hello-cert-trust-policy-settings.md
|
||||
- name: Azure AD join cloud only deployment
|
||||
href: hello-aad-join-cloud-only-deploy.md
|
||||
- name: Managing Windows Hello for Business in your organization
|
||||
href: hello-manage-in-organization.md
|
||||
- name: Deploying Certificates to Key Trust Users to Enable RDP
|
||||
- name: Deploy certificates for RDP sign-in
|
||||
href: hello-deployment-rdp-certs.md
|
||||
- name: Windows Hello for Business Features
|
||||
- name: Manage Windows Hello for Business in your organization
|
||||
href: hello-manage-in-organization.md
|
||||
- name: Windows Hello for Business features
|
||||
items:
|
||||
- name: Conditional Access
|
||||
- name: Conditional access
|
||||
href: hello-feature-conditional-access.md
|
||||
- name: PIN Reset
|
||||
href: hello-feature-pin-reset.md
|
||||
@ -121,23 +121,23 @@
|
||||
href: hello-feature-dynamic-lock.md
|
||||
- name: Multi-factor Unlock
|
||||
href: feature-multifactor-unlock.md
|
||||
- name: Remote Desktop
|
||||
- name: Remote desktop (RDP) sign-in
|
||||
href: hello-feature-remote-desktop.md
|
||||
- name: Troubleshooting
|
||||
items:
|
||||
- name: Known Deployment Issues
|
||||
href: hello-deployment-issues.md
|
||||
- name: Errors During PIN Creation
|
||||
href: hello-errors-during-pin-creation.md
|
||||
- name: Event ID 300 - Windows Hello successfully created
|
||||
href: hello-event-300.md
|
||||
- name: Windows Hello and password changes
|
||||
href: hello-and-password-changes.md
|
||||
- name: Troubleshooting
|
||||
items:
|
||||
- name: Known deployment issues
|
||||
href: hello-deployment-issues.md
|
||||
- name: Errors during PIN creation
|
||||
href: hello-errors-during-pin-creation.md
|
||||
- name: Event ID 300 - Windows Hello successfully created
|
||||
href: hello-event-300.md
|
||||
- name: Windows Hello and password changes
|
||||
href: hello-and-password-changes.md
|
||||
- name: Reference
|
||||
items:
|
||||
- name: Technology and Terminology
|
||||
- name: Technology and terminology
|
||||
href: hello-how-it-works-technology.md
|
||||
- name: Frequently Asked Questions (FAQ)
|
||||
href: hello-faq.yml
|
||||
- name: Windows Hello for Business videos
|
||||
href: hello-videos.md
|
||||
href: hello-videos.md
|
||||
Reference in New Issue
Block a user