mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
fixing metadata and some other stuff
This commit is contained in:
Dani Halfin
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configuring Windows Hello for Business - Hybrid - Active Directory
|
||||
description: Configuring Windows Hello for Business - Hybrid - Active Directory
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB
|
||||
title: Configuring Hybrid Windows Hello for Business - Active Directory (AD)
|
||||
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, ad
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -15,15 +15,15 @@ ms.author: mstephen
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
|
||||
>[!div class="step-by-step"]
|
||||
[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md)
|
||||
[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md)
|
||||
|
||||
The key synchronizaqtion process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
|
||||
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
>
|
||||
>If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**.
|
||||
|
||||
## Upgrading Active Directory to the Windows Server 2016 Schema
|
||||
|
||||
@ -1,25 +1,25 @@
|
||||
---
|
||||
title: Configure Windows Hello for Business: Active Directory Federation Services
|
||||
description: Configure Windows Hello for Business: Active Directory Federation Services
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB
|
||||
title: Configuring Hybrid Windows Hello for Business - Active Directory Federation Services (ADFS)
|
||||
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: DaniHalfin
|
||||
ms.author: mstephen
|
||||
localizationpriority: high
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
---
|
||||
# Configure Windows Hello for Business: Active Directory Federation Services
|
||||
|
||||
**Applies to**
|
||||
- Windows<EFBFBD>10
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
|
||||
- Windows10
|
||||
|
||||
## Federation Services
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
|
||||
|
||||
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
|
||||
@ -42,7 +42,7 @@ The `Set-AdfsCertificateAuthority` cmdlet should show the following warning:
|
||||
This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
|
||||
|
||||
>[!NOTE]
|
||||
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It<49>s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
|
||||
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It<49>s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
|
||||
|
||||
|
||||
### Group Memberships for the AD FS Service Account
|
||||
@ -54,11 +54,11 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
|
||||
1. Open **Active Directory Users and Computers**.
|
||||
2. Click the **Users** container in the navigation pane.
|
||||
3. Right-click **KeyCredential Admins** in the details pane and click **Properties**.
|
||||
4. Click the **Members** tab and click **Add<64>**
|
||||
4. Click the **Members** tab and click **Add<64>**
|
||||
5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
|
||||
6. Click **OK** to return to **Active Directory Users and Computers**.
|
||||
7. Right-click **Windows Hello for Business Users** group
|
||||
8. Click the **Members** tab and click **Add<64>**
|
||||
8. Click the **Members** tab and click **Add<64>**
|
||||
9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
|
||||
10. Click **OK** to return to **Active Directory Users and Computers**.
|
||||
11. Change to server hosting the AD FS role and restart it.
|
||||
|
||||
@ -1,21 +1,19 @@
|
||||
---
|
||||
title: Configure Windows Hello for Business: Directory Synchronization
|
||||
description: Configure Windows Hello for Business: Directory Synchronization
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB
|
||||
title: Configuring Hybrid Windows Hello for Business - Directory Synchronization
|
||||
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: DaniHalfin
|
||||
ms.author: mstephen
|
||||
localizationpriority: high
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
---
|
||||
# Configure Windows Hello for Business: Directory Synchronization
|
||||
|
||||
**Applies to**
|
||||
- Windows<EFBFBD>10
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
- Windows 10
|
||||
|
||||
## Directory Syncrhonization
|
||||
|
||||
|
||||
@ -1,27 +1,27 @@
|
||||
---
|
||||
title: Configure Windows Hello for Business: Public Key Infrastructure(Windows Hello for Business)
|
||||
description: Configure Windows Hello for Business: Public Key Infrastructure
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB
|
||||
title: Configuring Hybrid Windows Hello for Business - Public Key Infrastructure (PKI)
|
||||
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: DaniHalfin
|
||||
ms.author: mstephen
|
||||
localizationpriority: high
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
---
|
||||
|
||||
# Configure Windows Hello for Business: Public Key Infrastructure
|
||||
|
||||
**Applies to**
|
||||
- Windows<EFBFBD>10
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
- Windows 10
|
||||
|
||||
> [!div class="step-by-step"]
|
||||
[< Configure Windows Hello for Business: Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
|
||||
[ Configure Windows Hello for Business: ADFS >](hello-hybrid-cert-whfb-settings-adfs.md)
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer.
|
||||
|
||||
@ -47,15 +47,15 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
|
||||
2. Right-click **Certificate Templates** and click **Manage**.
|
||||
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
|
||||
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
|
||||
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise<73>s needs.
|
||||
**Note**If you use different template names, you<6F>ll need to remember and substitute these names in different portions of the lab.
|
||||
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise<73>s needs.
|
||||
**Note**If you use different template names, you<6F>ll need to remember and substitute these names in different portions of the lab.
|
||||
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
|
||||
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
|
||||
8. Close the console.
|
||||
|
||||
#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template
|
||||
|
||||
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers<72>the domain controller certificate template. Later releases provided a new certificate template<74>the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
|
||||
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers<72>the domain controller certificate template. Later releases provided a new certificate template<74>the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
|
||||
|
||||
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).
|
||||
|
||||
@ -79,7 +79,7 @@ The certificate template is configured to supersede all the certificate template
|
||||
|
||||
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
|
||||
|
||||
Approximately 60 days prior to enrollment agent certificate<74>s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
|
||||
Approximately 60 days prior to enrollment agent certificate<74>s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Follow the procedures below based on the AD FS service account used in your environment.
|
||||
@ -92,7 +92,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
|
||||
2. Right-click **Certificate Templates** and click **Manage**.
|
||||
3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
|
||||
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
|
||||
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<73>s needs.
|
||||
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<73>s needs.
|
||||
6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
|
||||
**Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
|
||||
|
||||
@ -111,7 +111,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e
|
||||
2. Right-click **Certificate Templates** and click **Manage**.
|
||||
3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**.
|
||||
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
|
||||
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<73>s needs.
|
||||
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<73>s needs.
|
||||
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
|
||||
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
|
||||
8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
|
||||
@ -128,8 +128,8 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
|
||||
2. Right-click **Certificate Templates** and click **Manage**.
|
||||
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
|
||||
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
|
||||
5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<73>s needs.
|
||||
**Note:** If you use different template names, you<6F>ll need to remember and substitute these names in different portions of the deployment.
|
||||
5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<73>s needs.
|
||||
**Note:** If you use different template names, you<6F>ll need to remember and substitute these names in different portions of the deployment.
|
||||
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
|
||||
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
|
||||
8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box.
|
||||
@ -145,10 +145,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
|
||||
|
||||
Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
|
||||
1. Open an elevated command prompt.
|
||||
2. Run `certutil <20>dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
|
||||
2. Run `certutil <20>dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
|
||||
|
||||
>[!NOTE]
|
||||
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It<49>s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
|
||||
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It<49>s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
|
||||
Publish Templates
|
||||
|
||||
### Publish Certificate Templates to a Certificate Authority
|
||||
|
||||
@ -1,25 +1,25 @@
|
||||
---
|
||||
title: Configure Windows Hello for Business: Group Policy
|
||||
description: Configure Windows Hello for Business: Group Policy
|
||||
title: Configuring Hybrid Windows Hello for Business - Group Policy
|
||||
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: DaniHalfin
|
||||
ms.author: mstephen
|
||||
localizationpriority: high
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
---
|
||||
# Configure Windows Hello for Business: Group Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows<EFBFBD>10
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
|
||||
- Windows 10
|
||||
|
||||
## Policy Configuration
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
|
||||
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
|
||||
|
||||
@ -49,7 +49,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
|
||||
5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
|
||||
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
|
||||
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
|
||||
8. In the details pane, right-click **Certificate Services Client <20> Auto-Enrollment** and select **Properties**.
|
||||
8. In the details pane, right-click **Certificate Services Client <20> Auto-Enrollment** and select **Properties**.
|
||||
9. Select **Enabled** from the **Configuration Model** list.
|
||||
10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
|
||||
11. Select the **Update certificates that use certificate templates** check box.
|
||||
@ -60,7 +60,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
|
||||
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
|
||||
|
||||
1. Start the **Group Policy Management Console** (gpmc.msc)
|
||||
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO<50>**
|
||||
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO<50>**
|
||||
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
|
||||
|
||||
### Windows Hello for Business Group Policy
|
||||
@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
|
||||
3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
|
||||
4. In the navigation pane, expand **Policies** under **User Configuration**.
|
||||
5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
|
||||
6. In the details pane, right-click **Certificate Services Client <20> Auto-Enrollment** and select **Properties**.
|
||||
6. In the details pane, right-click **Certificate Services Client <20> Auto-Enrollment** and select **Properties**.
|
||||
7. Select **Enabled** from the **Configuration Model** list.
|
||||
8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
|
||||
9. Select the **Update certificates that use certificate templates** check box.
|
||||
@ -128,7 +128,7 @@ The best way to deploy the Windows Hello for Business Group Policy object is to
|
||||
|
||||
The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
|
||||
1. Start the **Group Policy Management Console** (gpmc.msc)
|
||||
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO<50>**
|
||||
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO<50>**
|
||||
3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
|
||||
|
||||
Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object.
|
||||
|
||||
@ -1,24 +1,25 @@
|
||||
---
|
||||
title: Configure Windows Hello for Business Settings (Windows Hello for Business)
|
||||
description: Configure Windows Hello for Business Settings
|
||||
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
|
||||
description: Configuring Windows Hello for Business Settings in Hybrid deployment
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: DaniHalfin
|
||||
ms.author: mstephen
|
||||
localizationpriority: high
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
---
|
||||
# Configure Windows Hello for Business
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
|
||||
> [!div class="step-by-step"]
|
||||
[Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
|
||||
> [!IMPORTANT]
|
||||
|
||||
Reference in New Issue
Block a user