From 2426c06108ec57f3e49c53d3bef908fa7775ab5f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 25 Jul 2022 11:50:35 -0400 Subject: [PATCH 1/2] Fixed markup based on 9924 --- .../hello-hybrid-key-whfb-settings-pki.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index a43a8e5673..6606eca9ed 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -79,11 +79,11 @@ The certificate template is configured to supersede all the certificate template > [!NOTE] > The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. ->you can view +>To see all certificates in the NTAuth store, use the following command: > ->'''powershell ->Certutil -view ->Publish Certificate Templates to a Certificate Authority +> `Certutil -viewstore -enterprise NTAuth` + +### Publish Certificate Templates to a Certificate Authority The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. @@ -95,7 +95,7 @@ Sign-in to the certificate authority or management workstations with an _enterpr 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. 5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. 6. If you published the **Domain Controller Authentication (Kerberos)** certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. + - To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. 7. Close the console. ### Unpublish Superseded Certificate Templates From 3e8e8075566d8b4eabd820fbc44c0c5523538492 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Mon, 25 Jul 2022 11:14:16 -0500 Subject: [PATCH 2/2] Update hello-hybrid-key-whfb-settings-pki.md --- .../hello-for-business/hello-hybrid-key-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 6606eca9ed..5f2d0ed289 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -21,7 +21,7 @@ ms.reviewer: - Hybrid Deployment - Key trust -Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. +Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust.