Update Windows Hello for Business deployment steps

This commit is contained in:
Paolo Matarazzo 2023-12-28 17:09:02 -05:00
parent 61b85509fe
commit 54b06c0db8
4 changed files with 14 additions and 96 deletions

View File

@ -25,8 +25,8 @@ ms.topic: tutorial
> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
>
> - [Deploy Microsoft Entra Kerberos](#deploy-microsoft-entra-kerberos)
> - [Configure Windows Hello for Business settings](#configure-windows-hello-for-business-policy)
> - [Provision Windows Hello for Business](#provision-windows-hello-for-business)
> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
## Deploy Microsoft Entra Kerberos
@ -55,7 +55,7 @@ For more information about how Microsoft Entra Kerberos works with Windows Hello
When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
## Configure Windows Hello for Business policy
## Configure Windows Hello for Business policy settings
After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).

View File

@ -1,71 +0,0 @@
---
title: Configure and validate the Public Key Infrastructure in an hybrid key trust model
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in an hybrid key trust model.
ms.date: 12/18/2023
ms.topic: tutorial
---
# Configure and validate the Public Key Infrastructure - hybrid key trust
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Key trust deployments don't need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
## Configure the enterprise PKI
[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)]
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
### Publish the certificate template to the CA
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
1. Open the **Certification Authority** management console
1. Expand the parent node from the navigation pane
1. Select **Certificate Templates** in the navigation pane
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue**
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK**
1. Close the console
> [!IMPORTANT]
> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md).
## Configure and deploy certificates to domain controllers
[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
## Validate the configuration
[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
## Section review and next steps
Before moving to the next section, ensure the following steps are complete:
> [!div class="checklist"]
>
> - Configure domain controller certificates
> - Supersede existing domain controller certificates
> - Unpublish superseded certificate templates
> - Publish the certificate template to the CA
> - Deploy certificates to the domain controllers
> - Validate the domain controllers configuration
> [!div class="nextstepaction"]
> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md)
<!--links-->
[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller

View File

@ -21,6 +21,15 @@ ms.topic: tutorial
> - [Device configuration](index.md#device-configuration)
> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
## Deployment steps
> [!div class="checklist"]
> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
>
> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure)
> - [Configure and enroll in Windows Hello for Business](hybrid-key-trust-enroll.md)
> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
## Configure and validate the Public Key Infrastructure
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
@ -67,9 +76,8 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
## Section review and next steps
Before moving to the next section, ensure the following steps are complete:
> [!div class="checklist"]
> Before moving to the next section, ensure the following steps are complete:
>
> - Configure domain controller certificates
> - Supersede existing domain controller certificates
@ -79,23 +87,7 @@ Before moving to the next section, ensure the following steps are complete:
> - Validate the domain controllers configuration
> [!div class="nextstepaction"]
> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md)
> [Next: configure and enroll in Windows Hello for Business >](hybrid-key-trust-enroll.md)
<!--links-->
[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
<!-->
## Next steps
> [!div class="checklist"]
> Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:
>
> - Configure and validate the PKI
> - Configure Windows Hello for Business settings
> - Provision Windows Hello for Business on Windows clients
> - Configure single sign-on (SSO) for Microsoft Entra joined devices
> [!div class="nextstepaction"]
> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md)
<!--links-->

View File

@ -12,9 +12,6 @@ items:
- name: Overview
href: hybrid-key-trust.md
displayName: key trust
- name: Configure and validate the PKI
href: hybrid-key-trust-pki.md
displayName: key trust
- name: Configure and provision Windows Hello for Business
href: hybrid-key-trust-enroll.md
displayName: key trust