deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

removed expandable sections

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-01-23 05:45:38 -05:00
parent 9468a0aab6
commit 510419f1cb
13 changed files with 32 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
View File

@ -17,37 +17,19 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
## Configure the enterprise PKI
Expand the following sections to configure the PKI for Windows Hello for Business.
<br>
[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
<br>
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
<br>
[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
<br>
[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
<br>
[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
<br>
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
</details>
<br>
<details>
<summary><b>Publish certificate templates to the CA</b></summary>
### Publish certificate templates to the CA
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
@ -62,8 +44,6 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
1. Close the console
</details>
## Configure and deploy certificates to domain controllers
[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]

25
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -30,11 +30,7 @@ Windows Hello for Business supports using a certificate as the supplied credenti
To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
Expand the following sections to learn more about the process.
<br>
<details>
<summary><b>Create a Windows Hello for Business certificate template</b></summary>
### Create a Windows Hello for Business certificate template
Follow these steps to create a certificate template:
@ -81,11 +77,7 @@ Follow these steps to create a certificate template:
1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list
1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
</details>
<br>
<details>
<summary><b>Request a certificate</b></summary>
### Request a certificate
1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
@ -95,8 +87,6 @@ Follow these steps to create a certificate template:
1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**
1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen
</details>
## Deploy certificates via Intune
> [!NOTE]
@ -111,9 +101,7 @@ Next, you should deploy the root CA certificate (and any other intermediate cert
Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
<br>
<details>
<summary><b>Create a policy in Intune</b></summary>
### Create a policy in Intune
This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
@ -147,11 +135,8 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
</details>
### Request a certificate for Intune clients
<br>
<details>
<summary><b>Request a certificate</b></summary>
Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
1. Sign in to a client targeted by the Intune policy
@ -159,8 +144,6 @@ Once the Intune policy is created, targeted clients will request a certificate d
1. In the left pane of the MMC, expand **Personal** and select **Certificates**
1. In the right-hand pane of the MMC, check for the new certificate
</details>
## Use third-party certification authorities
If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].

50
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
View File

@ -60,11 +60,9 @@ Authenticating from a Hybrid Azure AD joined device to a domain using Windows He
## Configure a CRL distribution point for an issuing CA
Use this set of procedures to update the CA that issues domain controller certificates to include an http-based CRL distribution point. Expand each step to learn more:
Use this set of procedures to update the CA that issues domain controller certificates to include an http-based CRL distribution point.
<br>
<details>
<summary><b>Configure Internet Information Services to host CRL distribution point</b></summary>
### Configure Internet Information Services to host CRL distribution point
You need to host your new certificate revocation list on a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
@ -103,10 +101,7 @@ You need to host your new certificate revocation list on a web server so Azure A
![Create DNS host record.](images/aadj/dns-new-host-dialog.png)
1. Close the **DNS Manager**
</details>
<br>
<details>
<summary><b>Prepare a file share to host the certificate revocation list</b></summary>
### Prepare a file share to host the certificate revocation list
These procedures configure NTFS and share permissions on the web server to allow the certificate authority to automatically publish the certificate revocation list.
@ -145,14 +140,11 @@ These procedures configure NTFS and share permissions on the web server to allow
1. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**
1. Select **Close** in the **cdp Properties** dialog box
</details>
<br>
<details>
<summary><b>Configure the new CDP and publishing location in the issuing CA</b></summary>
### Configure the new CDP and publishing location in the issuing CA
The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point.
### Configure the CRL distribution Point
#### Configure the CRL distribution Point
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certification Authority** console from **Administrative Tools**
1. In the navigation pane, right-click the name of the certificate authority and select **Properties**
@ -170,7 +162,7 @@ The web server is ready to host the CRL distribution point. Now, configure the i
> [!NOTE]
> Optionally, you can remove unused CRL distribution points and publishing locations.
### Configure the CRL publishing location
#### Configure the CRL publishing location
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**
1. In the navigation pane, right-click the name of the certificate authority and select **Properties**
@ -184,30 +176,21 @@ The web server is ready to host the CRL distribution point. Now, configure the i
1. Select **Publish Delta CRLs to this location**
1. Select **Apply** save your selections. Select **Yes** when ask to restart the service. Select **OK** to close the properties dialog box
</details>
<br>
<details>
<summary><b>Publish CRL</b></summary>
### Publish a new CRL
#### Publish a new CRL
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**
1. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish**
![Publish a New CRL.](images/aadj/publish-new-crl.png)
1. In the **Publish CRL** dialog box, select **New CRL** and select **OK**
### Validate CDP Publishing
#### Validate CDP Publishing
Validate the new CRL distribution point is working.
1. Open a web browser. Navigate to `http://crl.[yourdomain].com/cdp`. You should see two files created from publishing the new CRL
![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png)
</details>
<br>
<details>
<summary><b>Reissue domain controller certificates</b></summary>
### Reissue domain controller certificates
#### Reissue domain controller certificates
With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point.
@ -227,7 +210,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
> [!IMPORTANT]
> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
### Validate CDP in the new certificate
#### Validate CDP in the new certificate
1. Sign-in a domain controller using administrative credentials
1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer
@ -236,15 +219,11 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**
![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
</details>
## Deploy the root CA certificate to Azure AD-joined devices
The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails. Expand each step to learn more:
<br>
<details>
<summary><b>Export the enterprise root certificate</b></summary>
### Export the enterprise root certificate
1. Sign-in a domain controller using administrative credentials
1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer
@ -259,10 +238,7 @@ The domain controllers have a certificate that includes the new CRL distribution
![Export root certificate.](images/aadj/certlm-export-root-certificate.png)
1. Select **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**
</details>
<br>
<details>
<summary><b>Deploy the certificate via Intune</b></summary>
### Deploy the certificate via Intune
To configure devices with Microsoft Intune, use a custom policy:
@ -276,6 +252,4 @@ To configure devices with Microsoft Intune, use a custom policy:
1. Under **Assignment**, select a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
</details>
If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). Otherwise, you can sign in to an Azure AD joined device with Windows Hello for Business and test SSO to an on-premises resource.

19
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
View File

@ -19,10 +19,6 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
## Configure the enterprise PKI
Expand the following sections to configure the PKI for Windows Hello for Business.
<br>
[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
> [!NOTE]
@ -33,26 +29,15 @@ Expand the following sections to configure the PKI for Windows Hello for Busines
> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
> - Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL
<br>
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
<br>
[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
<br>
[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
<br>
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
<br>
<details>
<summary><b>Publish the certificate templates to the CA</b></summary>
### Publish the certificate templates to the CA
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
@ -65,8 +50,6 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps > select **OK**
1. Close the console
</details>
> [!IMPORTANT]
> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).

15
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
View File

@ -36,7 +36,7 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
```PowerShell
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
```
3. Use the following command to configure the CA using a basic certification authority configuration
1. Use the following command to configure the CA using a basic certification authority configuration
```PowerShell
Install-AdcsCertificationAuthority
```
@ -45,8 +45,6 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
The configuration of the enterprise PKI to support Windows Hello for Business consists of the following steps (expand each step to learn more):
<br>
[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
> [!NOTE]
@ -57,18 +55,11 @@ The configuration of the enterprise PKI to support Windows Hello for Business co
> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
> - Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL
<br>
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
<br>
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
<br>
<details>
<summary><b>Publish the certificate template to the CA</b></summary>
### Publish the certificate template to the CA
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
@ -81,8 +72,6 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK**
1. Close the console
</details>
> [!IMPORTANT]
> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).

33
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -17,44 +17,15 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
## Configure the enterprise PKI
Expand the following sections to configure the PKI for Windows Hello for Business.
<br>
<details>
<summary><b>Configure domain controller certificates</b></summary>
[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
</details>
<br>
<details>
<summary><b>Supersede existing domain controller certificates</b></summary>
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
</details>
<br>
<details>
<summary><b>Configure an internal web server certificate template</b></summary>
[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
</details>
<br>
<details>
<summary><b>Unpublish Superseded Certificate Templates</b></summary>
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
</details>
<br>
<details>
<summary><b>Publish certificate templates to the CA</b></summary>
### Publish certificate templates to the CA
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
@ -69,8 +40,6 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
1. Close the console
</details>
## Configure and deploy certificates to domain controllers
[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]

3
windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md
View File

@ -3,8 +3,7 @@ ms.date: 12/28/2022
ms.topic: include
---
<details>
<summary><b>Configure a Windows Hello for Business authentication certificate template</b></summary>
### Configure a Windows Hello for Business authentication certificate template
During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template.

13
windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
View File

@ -3,11 +3,7 @@ ms.date: 12/28/2022
ms.topic: include
---
Expand the following sections to configure the group policy for domain controllers and validate the certificate deployment.
<br>
<details>
<summary><b>Configure automatic certificate enrollment for the domain controllers</b></summary>
### Configure automatic certificate enrollment for the domain controllers
Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the *Domain Controllers* OU.
@ -25,11 +21,7 @@ Domain controllers automatically request a certificate from the *Domain controll
1. Select **OK**
1. Close the **Group Policy Management Editor**
</details>
<br>
<details>
<summary><b>Deploy the domain controller auto certificate enrollment GPO</b></summary>
### Deploy the domain controller auto certificate enrollment GPO
Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
@ -38,4 +30,3 @@ Sign in to domain controller or management workstations with *Domain Administrat
1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created
1. Select **OK**
</details>

4
windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md
View File

@ -3,8 +3,7 @@ ms.date: 12/28/2022
ms.topic: include
---
<details>
<summary><b>Supersede existing domain controller certificates</b></summary>
### Supersede existing domain controller certificates
The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension.
@ -32,4 +31,3 @@ However, the certificate template and the superseding of certificate templates i
>
> `Certutil -viewstore -enterprise NTAuth`
</details>

4
windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md
View File

@ -3,8 +3,7 @@ ms.date: 12/28/2022
ms.topic: include
---
<details>
<summary><b>Configure domain controller certificates</b></summary>
### Configure domain controller certificates
Clients must trust the domain controllers, and the best way to enable the trust is to ensure that each domain controller has a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*.
@ -50,4 +49,3 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
1. Select **OK**
1. Close the console
</details>

8
windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md
View File

@ -3,8 +3,7 @@ ms.date: 01/03/2022
ms.topic: include
---
<details>
<summary><b>Configure an enrollment agent certificate template</b></summary>
### Configure an enrollment agent certificate template
A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
@ -13,7 +12,7 @@ The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the
> [!IMPORTANT]
> Follow the procedures below based on the AD FS service account used in your environment.
### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
@ -46,7 +45,7 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
- Select **OK**
1. Close the console
### Create an enrollment agent certificate for a standard service account
#### Create an enrollment agent certificate for a standard service account
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
@ -78,4 +77,3 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
- Select **OK**
1. Close the console
</details>

4
windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md
View File

@ -3,8 +3,7 @@ ms.date: 12/28/2022
ms.topic: include
---
<details>
<summary><b>Unpublish Superseded Certificate Templates</b></summary>
### Unpublish Superseded Certificate Templates
The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue, including the pre-published templates from the role installation and any superseded templates.
@ -17,4 +16,3 @@ Sign in to the CA or management workstation with *Enterprise Administrator* equi
1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window
1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates
</details>

6
windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md
View File

@ -1,10 +1,9 @@
---
ms.date: 12/28/2022
ms.date: 01/23/2023
ms.topic: include
---
<details>
<summary><b>Configure an internal web server certificate template</b></summary>
### Configure an internal web server certificate template
Windows clients communicate with AD FS via HTTPS. To meet this need, a *server authentication* certificate must be issued to all the nodes in the AD FS farm. On-premises deployments can use a *server authentication* certificate issued by the enterprise PKI. A *server authentication* certificate template must be configured, so the AD FS nodes can request a certificate.
@ -37,4 +36,3 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
- Select **OK**
1. Close the console
</details>