From ad7c23fb423ad6dd25f8a3a9b3c5ebbad27df06c Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Tue, 12 Oct 2021 18:01:36 -0700 Subject: [PATCH 01/11] adding new message around WHFB cloud trust --- .../hello-for-business/hello-deployment-guide.md | 5 ++++- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++++ .../hello-for-business/hello-identity-verification.md | 5 ++++- .../identity-protection/hello-for-business/hello-overview.md | 3 +++ .../hello-for-business/hello-planning-guide.md | 3 +++ 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 80a1ca91b3..4e7d1f7942 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -50,7 +50,10 @@ Do not begin your deployment until the hosting servers and infrastructure (not r ## Deployment and trust models -Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. +Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. + +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 735e563fb8..a11d68959d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -25,6 +25,10 @@ summary: | sections: - name: Ignored questions: + - question: What is Windows Hello for Business cloud trust? + answer: | + Windows Hello for Business cloud trust is a new trust model that is planned to be introduced in early 2022. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 3660d85201..26a25c7342 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -22,7 +22,7 @@ ms.date: 1/22/2021 This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. -## Cloud Only Deployment +## Azure AD Cloud Only Deployment * Windows 10, version 1511 or later, or Windows 11 * Microsoft Azure Account @@ -35,6 +35,9 @@ This article lists the infrastructure requirements for the different deployment The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + | Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index cd38c11105..b191dbc916 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -97,6 +97,9 @@ Windows Hello for Business can use either keys (hardware or software) or certifi Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + ## Learn more [Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 617be85699..d0de57c65c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -95,6 +95,9 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. From 983e42ac90688abaa1d375d0122da7796af33557 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Tue, 12 Oct 2021 18:21:44 -0700 Subject: [PATCH 02/11] fixing reference to Azure AD cloud only deployment --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index aa4d0faa2f..8e5fd2f049 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -31,7 +31,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process. -The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). +The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment). Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge. From 3658e39021c2595afe94caf999f887a732128632 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:07:36 -0700 Subject: [PATCH 03/11] Correct slash location in self-closing BR tags --- .../hello-identity-verification.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 26a25c7342..1a9e16072a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -38,37 +38,37 @@ The table shows the minimum requirements for each deployment. For key trust in a > [!NOTE] > Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. -| Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | +| Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | -| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | +| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | -| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | +| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | +| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | | Azure Account | Azure Account | Azure Account | Azure Account | | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory | | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment | > [!Important] -> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 > -> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
+> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ## On-premises Deployments The table shows the minimum requirements for each deployment. -| Key trust
Group Policy managed | Certificate trust
Group Policy managed| +| Key trust
Group Policy managed | Certificate trust
Group Policy managed| | --- | --- | | Windows 10, version 1703 or later | Windows 10, version 1703 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema| From f57263c1a54e3e1826d6b43db7f435bd36d4eb63 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:09:31 -0700 Subject: [PATCH 04/11] Add bullets to vertical lists --- .../hello-identity-verification.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 1a9e16072a..065df8dd49 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -54,15 +54,15 @@ The table shows the minimum requirements for each deployment. For key trust in a > [!Important] > 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 > > 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Reset from settings - Windows 10, version 1703, Professional +> - Reset above lock screen - Windows 10, version 1709, Professional +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ## On-premises Deployments From 2a14c0b54de61760c79f38009ff9e24409be42d1 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:11:41 -0700 Subject: [PATCH 05/11] Replace numbers with bullets in unordered list --- .../hello-identity-verification.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 065df8dd49..641d92045a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -53,16 +53,18 @@ The table shows the minimum requirements for each deployment. For key trust in a | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment | > [!Important] -> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:** -> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> - Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. > -> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:** -> - Reset from settings - Windows 10, version 1703, Professional -> - Reset above lock screen - Windows 10, version 1709, Professional -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> +> - On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. + +> **Requirements:** +> - Reset from settings - Windows 10, version 1703, Professional +> - Reset above lock screen - Windows 10, version 1709, Professional +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ## On-premises Deployments From 86f28739efab1a49050d1e284e437c25fae93787 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:14:09 -0700 Subject: [PATCH 06/11] Add lightbox functionality for legibility --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index b191dbc916..72fda09ca8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -70,7 +70,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup >[!NOTE] >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password. -![How authentication works in Windows Hello.](images/authflow.png) +:::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png"::: Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. From cae6cc2ccd6124169492945c64cfa242e890eaea Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:15:05 -0700 Subject: [PATCH 07/11] Add blank lines for readability --- .../hello-for-business/hello-overview.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 72fda09ca8..33d820a1a7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -81,12 +81,19 @@ Windows Hello helps protect user identities and user credentials. Because the us ## How Windows Hello for Business works: key points - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. + - Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step. + - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. + - Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. + - The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. + - PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. + - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. + - Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture. For details, see [How Windows Hello for Business works](hello-how-it-works.md). From c58fe7af5e8cb4d4d6e79e8517d7a00f4fa76404 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:16:27 -0700 Subject: [PATCH 08/11] Correct slash location in self-closing BR tags --- .../hello-for-business/hello-planning-guide.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index d0de57c65c..611f55ea0d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -74,19 +74,19 @@ The hybrid deployment model is for organizations that: - Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] -> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ##### On-premises The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. > [!Important] -> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
+> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. From ab5f819050520acff45c400cab109a4e06695328 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:17:54 -0700 Subject: [PATCH 09/11] Add bullets to vertical lists --- .../hello-for-business/hello-planning-guide.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 611f55ea0d..c8d18101d8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -75,19 +75,19 @@ The hybrid deployment model is for organizations that: > [!Important] > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ##### On-premises The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. > [!Important] > On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Reset from settings - Windows 10, version 1703, Professional +> - Reset above lock screen - Windows 10, version 1709, Professional +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. From 15e39694808a7d8ac40737f67c7129d36419e696 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:19:13 -0700 Subject: [PATCH 10/11] Removed unnecessary BR tags --- .../hello-for-business/hello-planning-guide.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c8d18101d8..8aada054b6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -74,7 +74,8 @@ The hybrid deployment model is for organizations that: - Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] -> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. +> > **Requirements:** > - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 > - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 @@ -83,7 +84,8 @@ The hybrid deployment model is for organizations that: The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. > [!Important] -> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. +> > **Requirements:** > - Reset from settings - Windows 10, version 1703, Professional > - Reset above lock screen - Windows 10, version 1709, Professional From 88129581d474fce062c5e20061069da4b290f681 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:26:24 -0700 Subject: [PATCH 11/11] Added missing angle bracket --- .../hello-for-business/hello-identity-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 641d92045a..92c2b72d61 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -60,7 +60,7 @@ The table shows the minimum requirements for each deployment. For key trust in a > - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 > > - On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. - +> > **Requirements:** > - Reset from settings - Windows 10, version 1703, Professional > - Reset above lock screen - Windows 10, version 1709, Professional