deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update provisioning links in deployment documentation

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-01-19 16:26:38 -05:00
parent b660f79165
commit 35847dfe5c
7 changed files with 28 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
View File

@ -96,8 +96,8 @@ The Windows Hello for Business provisioning process begins immediately after a u
To better understand the provisioning flows, review the following sequence diagrams based on the authentication type: To better understand the provisioning flows, review the following sequence diagrams based on the authentication type:
- [Microsoft Entra joined provisioning in a managed environment](../how-it-works-provisioning.md#microsoft-entra-joined-provisioning-in-a-managed-environment) - [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
- [Microsoft Entra joined provisioning in a federated environment](../how-it-works-provisioning.md#microsoft-entra-joined-provisioning-in-a-federated-environment) - [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
To better understand the authentication flows, review the following sequence diagram: To better understand the authentication flows, review the following sequence diagram:

6
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
View File

@ -124,9 +124,9 @@ The CA validates that the certificate is signed by the registration authority. O
To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type: To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
- [Microsoft Entra joined provisioning in a managed environment](../how-it-works-provisioning.md#microsoft-entra-joined-provisioning-in-a-managed-environment) - [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
- [Microsoft Entra joined provisioning in a federated environment](../how-it-works-provisioning.md#microsoft-entra-joined-provisioning-in-a-federated-environment) - [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
- [Microsoft Entra hybrid joined provisioning in a certificate trust deployment in a federated environment](../how-it-works-provisioning.md#microsoft-entra-hybrid-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment) - [Provisioning in a hybrid certificate trust deployment model with federated authentication](../how-it-works-provisioning.md#provisioning-in-a-hybrid-certificate-trust-deployment-model-with-federated-authentication)
To better understand the authentication flows, review the following sequence diagram: To better understand the authentication flows, review the following sequence diagram:

6
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -153,9 +153,9 @@ After enrollment, Microsoft Entra Connect synchronizes the user's key from Micro
To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type: To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
- [Microsoft Entra joined provisioning in a managed environment](../how-it-works-provisioning.md#microsoft-entra-joined-provisioning-in-a-managed-environment) - [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
- [Microsoft Entra joined provisioning in a federated environment](../how-it-works-provisioning.md#microsoft-entra-joined-provisioning-in-a-federated-environment) - [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
- [Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment](../how-it-works-provisioning.md#microsoft-entra-hybrid-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment) - [Provisioning in a cloud Kerberos trust deployment model with managed authentication](../how-it-works-provisioning.md#provisioning-in-a-cloud-kerberos-trust-deployment-model-with-managed-authentication)
To better understand the authentication flows, review the following sequence diagram: To better understand the authentication flows, review the following sequence diagram:

6
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
View File

@ -98,9 +98,9 @@ After enrollment, Microsoft Entra Connect synchronizes the user's key from Micro
To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type: To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
- [Microsoft Entra joined provisioning in a managed environment](../how-it-works-provisioning.md#microsoft-entra-joined-provisioning-in-a-managed-environment) - [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
- [Microsoft Entra joined provisioning in a federated environment](../how-it-works-provisioning.md#microsoft-entra-joined-provisioning-in-a-federated-environment) - [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
- [Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment](../how-it-works-provisioning.md#microsoft-entra-hybrid-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment) - [Provisioning in a hybrid key trust deployment model with managed authentication](../how-it-works-provisioning.md#provisioning-in-a-hybrid-key-trust-deployment-model-with-managed-authentication)
To better understand the authentication flows, review the following sequence diagram: To better understand the authentication flows, review the following sequence diagram:

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
View File

@ -79,7 +79,7 @@ The CA validates that the certificate is signed by the registration authority. O
To better understand the provisioning flows, review the following sequence diagram: To better understand the provisioning flows, review the following sequence diagram:
- [Domain joined provisioning in an On-premises Certificate Trust deployment](../how-it-works-provisioning.md#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment) - [Provisioning in an on-premises certificate trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-certificate-trust-deployment-model)
<!--links--> <!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
View File

@ -56,6 +56,6 @@ This information is also available using the `dsregcmd.exe /status` command from
To better understand the provisioning flows, review the following sequence diagram: To better understand the provisioning flows, review the following sequence diagram:
- [Domain joined provisioning in an On-premises Key Trust deployment](../how-it-works-provisioning.md#domain-joined-provisioning-in-an-on-premises-key-trust-deployment) - [Provisioning in an on-premises key trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-key-trust-deployment-model)
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd

34
windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
View File

@ -17,10 +17,9 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> [!NOTE] > [!NOTE]
> The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration. > The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration.
## Microsoft Entra joined provisioning in a managed environment ## Provisioning for Microsoft Entra joined devices with managed authentication
![Microsoft Entra joined provisioning in a managed environment.](images/howitworks/prov/entra-join-managed.png) :::image type="content" source="images/howitworks/prov/entra-join-managed.png" alt-text="Sequence diagram of the Windows Hello provisioning flow for Microsoft Entra joined devices with managed authentication." lightbox="images/howitworks/prov/entra-join-managed.png" border="false":::
[Full size image](images/howitworks/prov/entra-join-managed.png)
| Phase | Description | | Phase | Description |
|:-:|:-| |:-:|:-|
@ -28,10 +27,9 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). | | B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application, which signals the end of user provisioning and the application exits. | | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application, which signals the end of user provisioning and the application exits. |
## Microsoft Entra joined provisioning in a federated environment ## Provisioning for Microsoft Entra joined devices with federated authentication
![Microsoft Entra joined provisioning in federated environment.](images/howitworks/prov/entra-join-federated.png) :::image type="content" source="images/howitworks/prov/entra-join-federated.png" alt-text="Sequence diagram of the Windows Hello provisioning flow for Microsoft Entra joined devices with federated authentication." lightbox="images/howitworks/prov/entra-join-federated.png" border="false":::
[Full size image](images/howitworks/prov/entra-join-federated.png)
| Phase | Description | | Phase | Description |
|:-:|:-| |:-:|:-|
@ -39,10 +37,9 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). | | B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns key ID to the application, which signals the end of user provisioning and the application exits. | | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns key ID to the application, which signals the end of user provisioning and the application exits. |
## Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment ## Provisioning in a cloud Kerberos trust deployment model with managed authentication
![Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov/hybrid-entra-join-ckt.png) :::image type="content" source="images/howitworks/prov/hybrid-entra-join-ckt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid cloud Kerberos trust deployment model with managed authentication." lightbox="images/howitworks/prov/hybrid-entra-join-ckt.png" border="false":::
[Full size image](images/howitworks/prov/hybrid-entra-join-ckt.png)
| Phase | Description | | Phase | Description |
|:-:|:-| |:-:|:-|
@ -53,7 +50,9 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> [!NOTE] > [!NOTE]
> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Microsoft Entra ID to Active Directory. Users can immediately authenticate to Microsoft Entra ID and AD after provisioning their credential. > Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Microsoft Entra ID to Active Directory. Users can immediately authenticate to Microsoft Entra ID and AD after provisioning their credential.
## Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment ## Provisioning in a hybrid key trust deployment model with managed authentication
:::image type="content" source="images/howitworks/prov/hybrid-entra-join-managed-kt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid key trust deployment model with managed authentication." lightbox="images/howitworks/prov/hybrid-entra-join-managed-kt.png" border="false":::
![Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment.](images/howitworks/prov/hybrid-entra-join-managed-kt.png) ![Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment.](images/howitworks/prov/hybrid-entra-join-managed-kt.png)
[Full size image](images/howitworks/prov/hybrid-entra-join-managed-kt.png) [Full size image](images/howitworks/prov/hybrid-entra-join-managed-kt.png)
@ -68,10 +67,9 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> [!IMPORTANT] > [!IMPORTANT]
> The newly provisioned user will not be able to sign in using Windows Hello for Business until Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory. > The newly provisioned user will not be able to sign in using Windows Hello for Business until Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory.
## Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment ## Provisioning in a hybrid certificate trust deployment model with federated authentication
![Microsoft Entra hybrid joined provisioning in a synchronous Certificate trust deployment in a federated environment.](images/howitworks/prov/hybrid-entra-join-federated.png) :::image type="content" source="images/howitworks/prov/hybrid-entra-join-federated.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid certificate trust deployment model with federated authentication." lightbox="images/howitworks/prov/hybrid-entra-join-federated.png" border="false":::
[Full size image](images/howitworks/prov/hybrid-entra-join-federated.png)
| Phase | Description | | Phase | Description |
|:-|:-| |:-|:-|
@ -86,10 +84,9 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> [!IMPORTANT] > [!IMPORTANT]
> Synchronous certificate enrollment doesn't depend on Microsoft Entra Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Microsoft Entra Connect continues to synchronize the public key to Active Directory, but is not shown in this flow. > Synchronous certificate enrollment doesn't depend on Microsoft Entra Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Microsoft Entra Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
## Domain joined provisioning in an On-premises Key Trust deployment ## Provisioning in an on-premises key trust deployment model
![Domain joined provisioning in an On-premises Key Trust deployment.](images/howitworks/prov/onprem-kt.png) :::image type="content" source="images/howitworks/prov/onprem-kt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in an on-premises key trust deployment model." lightbox="images/howitworks/prov/onprem-kt.png" border="false":::
[Full size image](images/howitworks/prov/onprem-kt.png)
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
@ -97,10 +94,9 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv).| | B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.| |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
## Domain joined provisioning in an On-premises Certificate Trust deployment ## Provisioning in an on-premises certificate trust deployment model
![Domain joined provisioning in an On-premises Certificate Trust deployment.](images/howitworks/prov/onprem-ct.png) :::image type="content" source="images/howitworks/prov/onprem-ct.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in an on-premises certificate trust deployment model." lightbox="images/howitworks/prov/onprem-ct.png" border="false":::
[Full size image](images/howitworks/prov/onprem-ct.png)
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |