deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

final tweeks

Browse Source
This commit is contained in:
Mike Stephens
2017-10-23 19:43:52 -07:00
parent 16ad3d32a0
commit 41b3a59244
6 changed files with 14 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -16,7 +16,6 @@ ms.date: 09/08/2017
**Applies to** **Applies to**
- Windows 10 - Windows 10
>[!IMPORTANT]
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.

4
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
View File

@ -48,7 +48,9 @@ The provisioning flow has all the information it needs to complete the Windows H
The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory.
> [!IMPORTANT] > [!IMPORTANT]
> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has synchronized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. > The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
> **This synchronization latency delays the the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
> [!NOTE] > [!NOTE]
> Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. > Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time.

8
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
View File

@ -38,7 +38,7 @@ Domain controllers automatically request a certificate from the *Domain Controll
To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object #### Create a Domain Controller Automatic Certificate Enrollment Group Policy object
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
@ -49,7 +49,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. 5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**. 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
8. In the details pane, right-click **Certificate Services Client <EFBFBD> Auto-Enrollment** and select **Properties**. 8. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**.
9. Select **Enabled** from the **Configuration Model** list. 9. Select **Enabled** from the **Configuration Model** list.
10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
11. Select the **Update certificates that use certificate templates** check box. 11. Select the **Update certificates that use certificate templates** check box.
@ -60,7 +60,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc) 1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO<EFBFBD>** 2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO**
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. 3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
### Windows Hello for Business Group Policy ### Windows Hello for Business Group Policy
@ -128,7 +128,7 @@ The best way to deploy the Windows Hello for Business Group Policy object is to
The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
1. Start the **Group Policy Management Console** (gpmc.msc) 1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO<EFBFBD>** 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. 3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object.

2
windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
View File

@ -18,7 +18,7 @@ ms.date: 10/20/2017
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. Configure the appropriate security groups to effeiciently deploy Windows Hello for Business to users.
### Creating Security Groups ### Creating Security Groups

2
windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -129,7 +129,7 @@ The default Windows Hello for Business enables users to enroll and use biometric
PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
>[IMPORTANT] >[!IMPORTANT]
> Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. > Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor.
Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:

10
windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
View File

@ -21,13 +21,13 @@ ms.date: 09/08/2017
You are ready to configure your hybrid key trust environment for Windows Hello for Business. You are ready to configure your hybrid key trust environment for Windows Hello for Business.
> [!IMPORTANT] > [!IMPORTANT]
> Ensure your environmenet meets all the [prerequistes](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. > Ensure your environment meets all the [prerequistes](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment.
The configuration for Windows Hello for Business is grouped in four categories. These categories are: The configuration for Windows Hello for Business is grouped in four categories. These categories are:
* [Active Directory](hello-hybrid-cert-whfb-settings-ad.md) * [Active Directory](hello-hybrid-key-whfb-settings-ad.md)
* [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md) * [Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md)
* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md) * [Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
* [Group Policy](hello-hybrid-cert-whfb-settings-policy.md) * [Group Policy](hello-hybrid-key-whfb-settings-policy.md)
For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration