deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 14:53:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Fixing Suggestions

Browse Source 
Suggestions such as alt text, duplicated h1s and h2s, duplicated descriptions etc
This commit is contained in:
Alekhya Jupudi
2021-09-07 15:31:02 +05:30
parent 855ef33cb4
commit 4806cb6322
5 changed files with 34 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -47,7 +47,7 @@ You need to install and configure additional infrastructure to provide Azure AD
- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
### High Availaibilty ### High Availability
The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
@ -416,11 +416,11 @@ Sign-in a workstation with access equivalent to a _domain user_.
6. Start **AADApplicationProxyConnectorInstaller.exe**. 6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png) ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png) ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png) ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
#### Create a Connector Group #### Create a Connector Group
@ -480,12 +480,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
![NDES IIS Console.](images/aadjcert/ndes-iis-console.png) ![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
3. Click **Bindings...*** under **Actions**. Click **Add**. 3. Click **Bindings...*** under **Actions**. Click **Add**.
![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png) ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png)
4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png) ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png)
6. Select **http** from the **Site Bindings** list. Click **Remove**. 6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box. 7. Click **Close** on the **Site Bindings** dialog box.
8. Close **Internet Information Services (IIS) Manager**. 8. Close **Internet Information Services (IIS) Manager**.
@ -511,10 +511,10 @@ Sign-in the NDES server with access equivalent to _local administrator_.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png) ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png)
Confirm the web site uses the server authentication certificate. Confirm the web site uses the server authentication certificate.
![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png) ![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png)
## Configure Network Device Enrollment Services to work with Microsoft Intune ## Configure Network Device Enrollment Services to work with Microsoft Intune

34
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -115,14 +115,14 @@ When you are ready to install, follow the **Configuring federation with AD FS**
### Create AD objects for AD FS Device Authentication ### Create AD objects for AD FS Device Authentication
If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
![Device Registration.](images/hybridct/device1.png) ![Device Registration: AD FS](images/hybridct/device1.png)
> [!NOTE] > [!NOTE]
> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1.
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. 1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
![Device Registration.](images/hybridct/device2.png) ![Device Registration: Overview](images/hybridct/device2.png)
2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
@ -133,7 +133,7 @@ If your AD FS farm is not already configured for Device Authentication (you can
> [!NOTE] > [!NOTE]
> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
![Device Registration.](images/hybridct/device3.png) ![Device Registration: Domain](images/hybridct/device3.png)
The above PSH creates the following objects: The above PSH creates the following objects:
@ -141,11 +141,11 @@ The above PSH creates the following objects:
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
![Device Registration.](images/hybridct/device4.png) ![Device Registration: Tests](images/hybridct/device4.png)
4. Once this is done, you will see a successful completion message. 4. Once this is done, you will see a successful completion message.
![Device Registration.](images/hybridct/device5.png) ![Device Registration: Completion](images/hybridct/device5.png)
### Create Service Connection Point (SCP) in Active Directory ### Create Service Connection Point (SCP) in Active Directory
If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
@ -156,13 +156,13 @@ If you plan to use Windows domain join (with automatic registration to Azure AD)
> [!NOTE] > [!NOTE]
> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
![Device Registration.](images/hybridct/device6.png) ![Device Registration AdPrep](images/hybridct/device6.png)
2. Provide your Azure AD global administrator credentials 2. Provide your Azure AD global administrator credentials
`PS C:>$aadAdminCred = Get-Credential` `PS C:>$aadAdminCred = Get-Credential`
![Device Registration.](images/hybridct/device7.png) ![Device Registration: Credential](images/hybridct/device7.png)
3. Run the following PowerShell command 3. Run the following PowerShell command
@ -239,6 +239,7 @@ The definition helps you to verify whether the values are present or if you need
**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this:
```
@RuleName = "Issue account type for domain-joined computers" @RuleName = "Issue account type for domain-joined computers"
c:[ c:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
@ -249,11 +250,13 @@ The definition helps you to verify whether the values are present or if you need
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "DJ" Value = "DJ"
); );
```
#### Issue objectGUID of the computer account on-premises #### Issue objectGUID of the computer account on-premises
**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
```
@RuleName = "Issue object GUID for domain-joined computers" @RuleName = "Issue object GUID for domain-joined computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
@ -271,11 +274,13 @@ The definition helps you to verify whether the values are present or if you need
query = ";objectguid;{0}", query = ";objectguid;{0}",
param = c2.Value param = c2.Value
); );
```
#### Issue objectSID of the computer account on-premises #### Issue objectSID of the computer account on-premises
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
```
@RuleName = "Issue objectSID for domain-joined computers" @RuleName = "Issue objectSID for domain-joined computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
@ -288,11 +293,13 @@ The definition helps you to verify whether the values are present or if you need
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue(claim = c2); => issue(claim = c2);
```
#### Issue issuerID for computer when multiple verified domain names in Azure AD #### Issue issuerID for computer when multiple verified domain names in Azure AD
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
```
@RuleName = "Issue account type with the value User when it is not a computer" @RuleName = "Issue account type with the value User when it is not a computer"
NOT EXISTS( NOT EXISTS(
@ -334,7 +341,7 @@ The definition helps you to verify whether the values are present or if you need
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = "http://<verified-domain-name>/adfs/services/trust/" Value = "http://<verified-domain-name>/adfs/services/trust/"
); );
```
In the claim above, In the claim above,
@ -342,12 +349,13 @@ In the claim above,
- `<verified-domain-name>` is a placeholder you need to replace with one of your verified domain names in Azure AD - `<verified-domain-name>` is a placeholder you need to replace with one of your verified domain names in Azure AD
For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](/azure/active-directory/active-directory-add-domain). For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](/azure/active-directory/active-directory-add-domain).
To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0&preserve-view=true) cmdlet.
#### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set) #### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set)
**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows:
```
@RuleName = "Issue ImmutableID for computers" @RuleName = "Issue ImmutableID for computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
@ -365,11 +373,13 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]
query = ";objectguid;{0}", query = ";objectguid;{0}",
param = c2.Value param = c2.Value
); );
```
#### Helper script to create the AD FS issuance transform rules #### Helper script to create the AD FS issuance transform rules
The following script helps you with the creation of the issuance transform rules described above. The following script helps you with the creation of the issuance transform rules described above.
```
$multipleVerifiedDomainNames = $false $multipleVerifiedDomainNames = $false
$immutableIDAlreadyIssuedforUsers = $false $immutableIDAlreadyIssuedforUsers = $false
$oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains
@ -488,9 +498,9 @@ The following script helps you with the creation of the issuance transform rules
$crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
```
#### Remarks
#### Remarks
- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again. - This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.
@ -518,7 +528,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt; - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- Container Device Registration Service DKM under the above container - Container Device Registration Service DKM under the above container
![Device Registration.](images/hybridct/device8.png) ![Device Registration: Container](images/hybridct/device8.png)
- object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt; - object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- read/write access to the specified AD connector account name on the new object - read/write access to the specified AD connector account name on the new object

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -17,7 +17,7 @@ ms.date: 4/30/2021
ms.reviewer: ms.reviewer:
--- ---
# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
**Applies to** **Applies to**
- Windows 10, version 1703 or later - Windows 10, version 1703 or later

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -17,7 +17,7 @@ ms.date: 4/30/2021
ms.reviewer: ms.reviewer:
--- ---
# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure # Configure Hybrid Azure AD joined Windows Hello for Busines - Public Key Infrastructure
**Applies to** **Applies to**

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
View File

@ -16,7 +16,7 @@ localizationpriority: medium
ms.date: 4/30/2021 ms.date: 4/30/2021
ms.reviewer: ms.reviewer:
--- ---
# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
**Applies to** **Applies to**
- Windows 10, version 1703 or later - Windows 10, version 1703 or later