mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge pull request #9970 from MicrosoftDocs/main
publish main to live 10:30 AM 6/25/24
This commit is contained in:
Stacyrch140
GitHub
commit
62b93c6620
@ -13,6 +13,8 @@
|
||||
href: update/release-cycle.md
|
||||
- name: Basics of Windows updates, channels, and tools
|
||||
href: update/get-started-updates-channels-tools.md
|
||||
- name: Defining Windows update-managed devices
|
||||
href: update/update-managed-unmanaged-devices.md
|
||||
- name: Prepare servicing strategy for Windows client updates
|
||||
href: update/waas-servicing-strategy-windows-10-updates.md
|
||||
- name: Deployment proof of concept
|
||||
@ -113,7 +115,7 @@
|
||||
- name: Deploy updates with Group Policy
|
||||
href: update/waas-wufb-group-policy.md
|
||||
- name: Deploy updates using CSPs and MDM
|
||||
href: update/waas-wufb-csp-mdm.md
|
||||
href: update/waas-wufb-csp-mdm.md
|
||||
- name: Update Windows client media with Dynamic Update
|
||||
href: update/media-dynamic-update.md
|
||||
- name: Migrating and acquiring optional Windows content
|
||||
@ -377,7 +379,7 @@
|
||||
- name: Delivery Optimization reference
|
||||
href: do/waas-delivery-optimization-reference.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
|
||||
- name: FoD and language packs for WSUS and Configuration Manager
|
||||
href: update/fod-and-lang-packs.md
|
||||
href: update/fod-and-lang-packs.md
|
||||
- name: Windows client in S mode
|
||||
href: s-mode.md
|
||||
- name: Switch to Windows client Pro or Enterprise from S mode
|
||||
|
||||
@ -0,0 +1,71 @@
|
||||
---
|
||||
title: Defining Windows update-managed devices
|
||||
description: This article provides clarity on the terminology and practices involved in managing Windows updates for both managed and unmanaged devices.
|
||||
ms.service: windows-client
|
||||
ms.subservice: itpro-updates
|
||||
ms.topic: overview
|
||||
ms.date: 06/25/2024
|
||||
author: mikolding
|
||||
ms.author: v-mikolding
|
||||
ms.reviewer: mstewart,thtrombl,v-fvalentyna,arcarley
|
||||
manager: aaroncz
|
||||
ms.localizationpriority: medium
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
---
|
||||
|
||||
# Defining Windows update-managed devices
|
||||
|
||||
As an IT administrator, understanding the differences between managed and unmanaged devices is crucial for effective Windows update management. This article provides clarity on the terminology and practices involved in managing Windows updates for both types of devices.
|
||||
|
||||
## What are update-managed Windows devices?
|
||||
|
||||
Update-managed devices are those where an IT administrator or organization controls Windows updates through a management tool, such as Microsoft Intune, or by directly setting policies. You can directly set policies with group policy objects (GPO), configuration service provider (CSP) policies, or Microsoft Graph.
|
||||
|
||||
> [!NOTE]
|
||||
> This definition is true even if you directly set registry keys. However, we don't recommended doing this action because registry keys can be easily overwritten.
|
||||
|
||||
Managed devices can include desktops, laptops, tablets, servers, and manufacturing equipment. These devices are secured and configured according to your organization's standards and policies.
|
||||
|
||||
### IT-managed: Windows update offering
|
||||
|
||||
Devices are considered Windows update-managed if you manage the update offering in the following ways:
|
||||
|
||||
- You configure policies to manage which updates are offered to the specific device.
|
||||
- You set when your organization should receive feature, quality, and driver updates, among others.
|
||||
- You use [group policy objects (GPO)](/windows/deployment/update/waas-wufb-group-policy), [configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice), or [Microsoft Graph](/windows/deployment/update/deployment-service-overview) to configure these offerings.
|
||||
|
||||
### IT-managed: Windows update experience
|
||||
|
||||
Devices are considered Windows update-managed if you use policies (GPO, CSP, or Microsoft Graph) to manage device behavior when taking Windows updates.
|
||||
|
||||
Examples of controllable device behavior include active hours, update grace periods and deadlines, update notifications, update scheduling, and more. Consult the complete list at [Update Policy CSP](/windows/client-management/mdm/policy-csp-update).
|
||||
|
||||
## Examples of update-managed Windows devices
|
||||
|
||||
Here are a few examples of update-managed devices:
|
||||
|
||||
- **Company-owned devices:** Devices provisioned by your IT department with corporate credentials, configurations, and policies.
|
||||
- **Employee-owned devices in BYOD programs:** Personally owned devices that are enrolled in the company's device management system to securely access corporate resources.
|
||||
- **Devices provisioned through Windows Autopilot:** Devices that are set up and preconfigured to be business-ready right out of the box.
|
||||
- **Mandated security settings:** Devices with health requirements such as device encryption, PIN or strong password, specific inactivity timeout periods, and up-to-date operating systems.
|
||||
- **Intune-enrolled devices:** Devices enrolled in Microsoft Intune for network access and enforced security policies.
|
||||
- **Third-party managed devices:** Devices enrolled in non-Microsoft management tools with configured Windows update policies via GPO, CSP, or registry key.
|
||||
|
||||
## What are update-unmanaged Windows devices?
|
||||
|
||||
Unlike update-managed devices, unmanaged devices aren't controlled through policies, management tools, or software. These devices aren't enrolled in tools like Microsoft Intune or Configuration Manager. If you only configure the Settings page to control overall device behavior when taking updates, it's considered an unmanaged device.
|
||||
|
||||
> [!NOTE]
|
||||
> The term "Microsoft managed devices" used to refer to what we now call "update unmanaged Windows devices." Based on feedback, we have updated our terminology for clarity.
|
||||
|
||||
## Examples of update-unmanaged Windows devices
|
||||
|
||||
Examples of update-unmanaged devices include:
|
||||
|
||||
- **Personal devices:** Devices owned by individuals at your organization that aren't enrolled in any corporate management system.
|
||||
- **BYOD devices not enrolled in management programs:** Devices used for work but not part of an organizational bring your own device (BYOD) program.
|
||||
- **Peripheral devices:** Devices like printers, IP phones, and uninterruptible power supplies (UPS) that can't accept centrally managed administrative credentials.
|
||||
|
||||
For more information on managed and unmanaged devices, see [Secure managed and unmanaged devices](/microsoft-365/business-premium/m365bp-managed-unmanaged-devices).
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure Active Directory Federation Services in a hybrid certificate trust model
|
||||
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model.
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
@ -52,19 +52,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
|
||||
1. Restart the AD FS server
|
||||
|
||||
> [!NOTE]
|
||||
> For AD FS 2019 in a hybrid certificate trust model, a PRT issue exists. You may encounter this error in the AD FS Admin event logs: *Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'*. To remediate this error:
|
||||
>
|
||||
> 1. Launch AD FS management console and browse to **Services > Scope Descriptions**
|
||||
> 1. Right click **Scope Descriptions** and select **Add Scope Description**
|
||||
> 1. Under name type `ugs` and select **Apply > OK**
|
||||
> 1. Launch PowerShell as an administrator
|
||||
> 1. Obtain the *ObjectIdentifier* of the application permission with the `ClientRoleIdentifier` parameter equal to `38aa3b87-a06d-4817-b275-7a316988d93b`:
|
||||
> ```PowerShell
|
||||
> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
|
||||
> ```
|
||||
> 1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
|
||||
> 1. Restart the AD FS service
|
||||
> 1. On the client: Restart the client. User should be prompted to provision Windows Hello for Business
|
||||
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. For more information about the isse and its resolution, see [Certificate trust provisioning with AD FS broken on windows server 2019](../hello-deployment-issues.md#certificate-trust-provisioning-with-ad-fs-broken-on-windows-server-2019).
|
||||
|
||||
## Section review and next steps
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model
|
||||
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure and validate the PKI in an hybrid certificate trust model
|
||||
title: Configure and validate the PKI in a hybrid certificate trust model
|
||||
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Windows Hello for Business hybrid certificate trust deployment guide
|
||||
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 01/03/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
@ -8,6 +8,8 @@ ms.topic: include
|
||||
Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
|
||||
|
||||
- certificates
|
||||
> [!NOTE]
|
||||
> When using this option, the certificates must be deployed to the users. For example, users can use their smart card or virtual smart card as a certificate authentication option.
|
||||
- non-Microsoft authentication providers for AD FS
|
||||
- custom authentication provider for AD FS
|
||||
|
||||
|
||||
@ -61,4 +61,4 @@ CertUtil: -dsTemplate command completed successfully."
|
||||
```
|
||||
|
||||
>[!NOTE]
|
||||
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority.
|
||||
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc).
|
||||
|
||||
@ -3,7 +3,7 @@ ms.date: 01/03/2024
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
### Configure an enrollment agent certificate template
|
||||
## Configure an enrollment agent certificate template
|
||||
|
||||
A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
|
||||
|
||||
@ -12,7 +12,7 @@ The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the
|
||||
> [!IMPORTANT]
|
||||
> Follow the procedures below based on the AD FS service account used in your environment.
|
||||
|
||||
#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
|
||||
### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
|
||||
|
||||
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
|
||||
|
||||
@ -32,7 +32,7 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
|
||||
1. Select **OK** to finalize your changes and create the new template
|
||||
1. Close the console
|
||||
|
||||
#### Create an enrollment agent certificate for a standard service account
|
||||
### Create an enrollment agent certificate for a standard service account
|
||||
|
||||
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure Active Directory Federation Services in an on-premises certificate trust model
|
||||
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model.
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
@ -16,20 +16,7 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
|
||||
[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)]
|
||||
|
||||
> [!NOTE]
|
||||
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
|
||||
>
|
||||
> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions**
|
||||
> 1. Right-click **Scope Descriptions** and select **Add Scope Description**
|
||||
> 1. Under name type *ugs* and select **Apply > OK**
|
||||
> 1. Launch PowerShell as an administrator and execute the following commands:
|
||||
>
|
||||
> ```PowerShell
|
||||
> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
|
||||
> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
|
||||
> ```
|
||||
>
|
||||
> 1. Restart the AD FS service
|
||||
> 1. Restart the client. User should be prompted to provision Windows Hello for Business
|
||||
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. For more information about the isse and its resolution, see [Certificate trust provisioning with AD FS broken on windows server 2019](../hello-deployment-issues.md#certificate-trust-provisioning-with-ad-fs-broken-on-windows-server-2019).
|
||||
|
||||
## Review to validate the AD FS and Active Directory configuration
|
||||
|
||||
@ -40,6 +27,21 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
|
||||
> - Confirm you added the AD FS service account to the KeyAdmins group
|
||||
> - Confirm you enabled the Device Registration service
|
||||
|
||||
[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
|
||||
|
||||
### Publish the certificate template to the CA
|
||||
|
||||
Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
|
||||
|
||||
1. Open the **Certification Authority** management console
|
||||
1. Expand the parent node from the navigation pane
|
||||
1. Select **Certificate Templates** in the navigation pane
|
||||
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
|
||||
1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority
|
||||
1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
|
||||
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
|
||||
1. Close the console
|
||||
|
||||
## Configure the certificate registration authority
|
||||
|
||||
The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the certificate registration authority (CRA). The registration authority is responsible for issuing certificates to users and devices. The registration authority is also responsible for revoking certificates when users or devices are removed from the environment.
|
||||
@ -55,7 +57,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat
|
||||
>[!NOTE]
|
||||
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
|
||||
|
||||
### Enrollment agent certificate enrollment
|
||||
### Enrollment agent certificate lifecycle management
|
||||
|
||||
AD FS performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
|
||||
|
||||
@ -87,6 +89,7 @@ For detailed information about the certificate, use `Certutil -q -v <certificate
|
||||
> [!div class="checklist"]
|
||||
> Before you continue with the deployment, validate your deployment progress by reviewing the following items:
|
||||
>
|
||||
> - Configure an enrollment agent certificate template
|
||||
> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template
|
||||
> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance
|
||||
> - Confirm you properly configured the Windows Hello for Business authentication certificate template
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: tutorial
|
||||
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
|
||||
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
|
||||
@ -73,7 +73,11 @@ After a successful key registration, Windows creates a certificate request using
|
||||
|
||||
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
|
||||
|
||||
The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center.
|
||||
The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store.
|
||||
|
||||
The following video shows the Windows Hello for Business enrollment steps after signing in with a password, using a custom MFA adapter for AD FS.
|
||||
|
||||
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=771165c0-e37f-4f9d-9e21-4f383cc6590d alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
|
||||
|
||||
### Sequence diagram
|
||||
|
||||
|
||||
@ -1,13 +1,12 @@
|
||||
---
|
||||
title: Windows Hello for Business on-premises certificate trust deployment guide
|
||||
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario.
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
# On-premises certificate trust deployment guide
|
||||
|
||||
|
||||
[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
|
||||
|
||||
[!INCLUDE [requirements](includes/requirements.md)]
|
||||
@ -48,8 +47,6 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
|
||||
|
||||
[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
|
||||
|
||||
[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
|
||||
|
||||
[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)]
|
||||
|
||||
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
|
||||
@ -64,7 +61,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
|
||||
1. Expand the parent node from the navigation pane
|
||||
1. Select **Certificate Templates** in the navigation pane
|
||||
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
|
||||
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
|
||||
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
|
||||
1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
|
||||
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
|
||||
1. Close the console
|
||||
@ -85,7 +82,6 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
|
||||
> - Configure domain controller and web server certificate templates
|
||||
> - Supersede existing domain controller certificates
|
||||
> - Unpublish superseded certificate templates
|
||||
> - Configure an enrollment agent certificate template
|
||||
> - Publish the certificate templates to the CA
|
||||
> - Deploy certificates to the domain controllers
|
||||
> - Validate the domain controllers configuration
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/23/2024
|
||||
ms.topic: tutorial
|
||||
title: Configure Windows Hello for Business Policy settings in an on-premises key trust
|
||||
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
|
||||
@ -52,6 +52,10 @@ This information is also available using the `dsregcmd.exe /status` command from
|
||||
|
||||
[!INCLUDE [user-experience](includes/user-experience.md)]
|
||||
|
||||
The following video shows the Windows Hello for Business enrollment steps after signing in with a password, using a custom MFA adapter for AD FS.
|
||||
|
||||
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=771165c0-e37f-4f9d-9e21-4f383cc6590d alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
|
||||
|
||||
### Sequence diagram
|
||||
|
||||
To better understand the provisioning flows, review the following sequence diagram:
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Windows Hello for Business on-premises key trust deployment guide
|
||||
description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario.
|
||||
ms.date: 03/12/2024
|
||||
ms.date: 06/24/2024
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
@ -57,7 +57,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
|
||||
1. Expand the parent node from the navigation pane
|
||||
1. Select **Certificate Templates** in the navigation pane
|
||||
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
|
||||
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
|
||||
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
|
||||
1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
|
||||
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
|
||||
1. Close the console
|
||||
|
||||
@ -8,7 +8,7 @@ items:
|
||||
- name: Cloud Kerberos trust deployment
|
||||
href: hybrid-cloud-kerberos-trust.md
|
||||
- name: Key trust deployment
|
||||
items:
|
||||
items:
|
||||
- name: Requirements and validation
|
||||
href: hybrid-key-trust.md
|
||||
displayName: key trust
|
||||
@ -19,7 +19,7 @@ items:
|
||||
href: ../hello-hybrid-aadj-sso.md
|
||||
displayName: key trust
|
||||
- name: Certificate trust deployment
|
||||
items:
|
||||
items:
|
||||
- name: Requirements and validation
|
||||
href: hybrid-cert-trust.md
|
||||
displayName: certificate trust
|
||||
@ -41,7 +41,7 @@ items:
|
||||
- name: On-premises deployments
|
||||
items:
|
||||
- name: Key trust deployment
|
||||
items:
|
||||
items:
|
||||
- name: Requirements and validation
|
||||
href: on-premises-key-trust.md
|
||||
- name: Prepare and deploy Active Directory Federation Services (AD FS)
|
||||
@ -49,10 +49,10 @@ items:
|
||||
- name: Configure and enroll in Windows Hello for Business
|
||||
href: on-premises-key-trust-enroll.md
|
||||
- name: Certificate trust deployment
|
||||
items:
|
||||
items:
|
||||
- name: Requirements and validation
|
||||
href: on-premises-cert-trust.md
|
||||
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
|
||||
- name: Prepare and deploy Active Directory Federation Services (AD FS)
|
||||
href: on-premises-cert-trust-adfs.md
|
||||
- name: Configure and enroll in Windows Hello for Business
|
||||
href: on-premises-cert-trust-enroll.md
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 103 KiB |
@ -85,10 +85,11 @@ BitLocker has the following requirements:
|
||||
|
||||
## Device encryption
|
||||
|
||||
*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.
|
||||
*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access. Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
|
||||
> Starting in Windows 11, version 24H2, the prerequisites of DMA and HSTI/Modern Standby are removed. As a result, more devices are eligible for automatic and manual device encryption.
|
||||
> For more information, see [BitLocker drive encryption in Windows 11 for OEMs](/windows-hardware/design/device-experiences/oem-bitlocker).
|
||||
|
||||
Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up.
|
||||
|
||||
|
||||
@ -99,6 +99,14 @@ There are rules governing which hint is shown during the recovery (in the order
|
||||
:::image type="content" source="images/preboot-recovery-custom-url-single-backup.png" alt-text="Screenshot of the BitLocker recovery screen showing a custom URL and the hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-custom-url-single-backup.png" border="false":::
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
:::row:::
|
||||
:::column span="2":::
|
||||
Starting in Windows 11, version 24H2, the BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information.
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
:::image type="content" source="images/bitlocker-recovery-screen-msa-backup-24h2.png" alt-text="Screenshot of the BitLocker recovery screen showing a Microsoft account hint where the BitLocker recovery key was saved." lightbox="images/bitlocker-recovery-screen-msa-backup-24h2.png" border="false":::
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
:::row:::
|
||||
:::column span="4":::
|
||||
#### Example: single recovery password in AD DS and single backup
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user