deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

save again

Browse Source
This commit is contained in:
jdeckerMS
2016-09-28 12:52:24 -07:00
parent 52e4a25233
commit 5209f44ded
1 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
windows/keep-secure/hello-implement-in-organization.md
View File

@ -400,11 +400,22 @@ Smart cards can act as a useful complement to Windows Hello in another important
Which rollout method you choose depends on several factors:
- How many devices you need to deploy. This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200300 users in different cities.
- How quickly you want to deploy Windows Hello for Business protection. This is a classic costbenefit tradeoff. You have to balance the security benefits of Windows Hello for Business against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Windows Hello coverage in the shortest time possible maximizes security benefits.
- The type of devices you want to deploy. Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Windows Hello first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
- What your current infrastructure looks like. The individual version of Windows Hello doesnt require changes to your Active Directory environment, but to support Windows Hello for Business, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
- Your plans for the cloud. If youre already planning a move to the cloud, Azure AD eases the process of Windows Hello for Business deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Windows Hello for Business will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Windows Hello for Business from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Windows Hello for Business services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
- **How many devices you need to deploy**. This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200300 users in different cities.
- **How quickly you want to deploy Windows Hello for Business protection**. This is a classic costbenefit tradeoff. You have to balance the security benefits of Windows Hello for Business against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Windows Hello coverage in the shortest time possible maximizes security benefits.
- **The type of devices you want to deploy**. Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Windows Hello first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
-** What your current infrastructure looks like**. The individual version of Windows Hello doesnt require changes to your Active Directory environment, but to support Windows Hello for Business, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
- **Your plans for the cloud**. If youre already planning a move to the cloud, Azure AD eases the process of Windows Hello for Business deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Windows Hello for Business will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Windows Hello for Business from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Windows Hello for Business services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
## How to use Windows Hello for Business with Azure Ad
There are three scenarios for using Windows Hello for Business in Azure ADonly organizations:
- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenants directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join wont be enabled unless and until the organizations administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
- **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
If you want to use Windows Hello for Business with certificates, youll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. Set Microsoft Passport policies
## Related topics