From 54b06c0db893fdf36e324881edbc6e0754dbce1c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 28 Dec 2023 17:09:02 -0500 Subject: [PATCH] Update Windows Hello for Business deployment steps --- .../deploy/hybrid-cloud-kerberos-trust.md | 6 +- .../deploy/hybrid-key-trust-pki.md | 71 ------------------- .../deploy/hybrid-key-trust.md | 30 +++----- .../hello-for-business/deploy/toc.yml | 3 - 4 files changed, 14 insertions(+), 96 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index 0cc58ccf69..01f4ae3f76 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -25,8 +25,8 @@ ms.topic: tutorial > Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: > > - [Deploy Microsoft Entra Kerberos](#deploy-microsoft-entra-kerberos) -> - [Configure Windows Hello for Business settings](#configure-windows-hello-for-business-policy) -> - [Provision Windows Hello for Business](#provision-windows-hello-for-business) +> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings) +> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business) ## Deploy Microsoft Entra Kerberos @@ -55,7 +55,7 @@ For more information about how Microsoft Entra Kerberos works with Windows Hello When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. -## Configure Windows Hello for Business policy +## Configure Windows Hello for Business policy settings After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md deleted file mode 100644 index bfaae41503..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: Configure and validate the Public Key Infrastructure in an hybrid key trust model -description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in an hybrid key trust model. -ms.date: 12/18/2023 -ms.topic: tutorial ---- - -# Configure and validate the Public Key Infrastructure - hybrid key trust - -[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)] - -Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. - -Key trust deployments don't need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`). - -A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1]. - -[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] - -## Configure the enterprise PKI - -[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] - -[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)] - -[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] - -[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] - -### Publish the certificate template to the CA - -A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. - -Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. - -1. Open the **Certification Authority** management console -1. Expand the parent node from the navigation pane -1. Select **Certificate Templates** in the navigation pane -1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue** -1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK** -1. Close the console - -> [!IMPORTANT] -> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md). - -## Configure and deploy certificates to domain controllers - -[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] - -## Validate the configuration - -[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] - -## Section review and next steps - -Before moving to the next section, ensure the following steps are complete: - -> [!div class="checklist"] -> -> - Configure domain controller certificates -> - Supersede existing domain controller certificates -> - Unpublish superseded certificate templates -> - Publish the certificate template to the CA -> - Deploy certificates to the domain controllers -> - Validate the domain controllers configuration - -> [!div class="nextstepaction"] -> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md) - - -[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index 540f04b788..bd5f24cd52 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -21,6 +21,15 @@ ms.topic: tutorial > - [Device configuration](index.md#device-configuration) > - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello) +## Deployment steps + +> [!div class="checklist"] +> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: +> +> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure) +> - [Configure and enroll in Windows Hello for Business](hybrid-key-trust-enroll.md) +> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md) + ## Configure and validate the Public Key Infrastructure Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. @@ -67,9 +76,8 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen ## Section review and next steps -Before moving to the next section, ensure the following steps are complete: - > [!div class="checklist"] +> Before moving to the next section, ensure the following steps are complete: > > - Configure domain controller certificates > - Supersede existing domain controller certificates @@ -79,23 +87,7 @@ Before moving to the next section, ensure the following steps are complete: > - Validate the domain controllers configuration > [!div class="nextstepaction"] -> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md) +> [Next: configure and enroll in Windows Hello for Business >](hybrid-key-trust-enroll.md) [SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller - - -## Next steps - -> [!div class="checklist"] -> Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps: -> -> - Configure and validate the PKI -> - Configure Windows Hello for Business settings -> - Provision Windows Hello for Business on Windows clients -> - Configure single sign-on (SSO) for Microsoft Entra joined devices - -> [!div class="nextstepaction"] -> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md) - - diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml index 53a57f554c..2c654b6ea5 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml +++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml @@ -12,9 +12,6 @@ items: - name: Overview href: hybrid-key-trust.md displayName: key trust - - name: Configure and validate the PKI - href: hybrid-key-trust-pki.md - displayName: key trust - name: Configure and provision Windows Hello for Business href: hybrid-key-trust-enroll.md displayName: key trust