deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Refactor code to improve performance and readability

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-12-28 11:43:20 -05:00
parent 8f1fe14bd0
commit 64d8fff966
1 changed files with 43 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -88,8 +88,22 @@ The goal of Windows Hello for Business cloud Kerberos trust is to provide a simp
> [!TIP] > [!TIP]
> Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios. > Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
>
> For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][ENTRA-1]. Cloud Kerberos trust requires the deployment of Microsoft Entra Kerberos. For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][ENTRA-1].
## Public Key Infrastructure (PKI)
While cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates, the other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication:
- Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate
- Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA
- Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources
| Deployment model | PKI |
|-|-|
| **Cloud-only** | not required |
| **Hybrid** | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: required <br> :black_square_button: **Certificate trust**: required|
| **On-premises** | required |
## Authentication ## Authentication
@ -101,9 +115,9 @@ Here's a list of requirements for federated and non-federated deployments.
| Deployment model | Authentication options | | Deployment model | Authentication options |
|--|--| |--|--|
| Cloud-only | :black_square_button: **Non-federated**<br> :black_square_button: **Federated**: federated authentication requires a third-party federation service. | | **Cloud-only** | :black_square_button: **Non-federated**<br> :black_square_button: **Federated**: federated authentication requires a third-party federation service. |
| Hybrid | :black_square_button: **Non-federated**<br>&tab; :black_square_button: **Cloud Kerberos trust** requires Microsoft Entra Kerberos<br>&tab; :black_square_button: **Key trust** requires [Password hash synchronization (PHS)][ENTRA-6] or [Microsoft Entra pass-through authentication (PTA)][ENTRA-7]<br><br> :black_square_button: **Federated**: federated authentication requires AD FS or a third-party federation service<br>&tab; :black_square_button: **Certificate trust** doesn't support [PTA][ENTRA-7] or [(PHS)][ENTRA-6]. Active Directory must be federated with Microsoft Entra ID using AD FS. Additionally, you must configure your AD FS farm to support Microsoft Entra registered devices | | **Hybrid** | :black_square_button: **Non-federated**:<br>&emsp; :black_square_button: **Key trust** requires [Password hash synchronization (PHS)][ENTRA-6] or [Microsoft Entra pass-through authentication (PTA)][ENTRA-7]<br><br> :black_square_button: **Federated**: federated authentication requires AD FS or a third-party federation service<br>&emsp; :black_square_button: **Certificate trust** doesn't support [PTA][ENTRA-7] or [(PHS)][ENTRA-6]. Active Directory must be federated with Microsoft Entra ID using AD FS. Additionally, you must configure your AD FS farm to support Microsoft Entra registered devices |
| On-premises | AD FS | | **On-premises** | AD FS |
### Device registration ### Device registration
@ -111,9 +125,9 @@ All devices included in the Windows Hello for Business deployment must go throug
| Deployment model | Device registration IdP | | Deployment model | Device registration IdP |
|-|-| |-|-|
| Cloud-only |Microsoft Entra ID | | **Cloud-only** |Microsoft Entra ID |
|Hybrid|Microsoft Entra ID| | **Hybrid** |Microsoft Entra ID|
|On-premises | AD FS | | **On-premises** | AD FS |
For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][ENTRA-5] page. For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][ENTRA-5] page.
@ -123,9 +137,9 @@ The built-in Windows Hello for Business provisioning experience creates a device
| Deployment model | Key registration IdP | | Deployment model | Key registration IdP |
|-|-| |-|-|
|Cloud-only | Microsoft Entra ID | | **Cloud-only** | Microsoft Entra ID |
|Hybrid| Microsoft Entra ID | | **Hybrid** | Microsoft Entra ID |
|On-premises | AD FS | | **On-premises** | AD FS |
### Directory synchronization ### Directory synchronization
@ -138,9 +152,9 @@ Hybrid and on-premises deployments use directory synchronization, however, each
| Deployment model | Directory sync options | | Deployment model | Directory sync options |
|-|-| |-|-|
|Cloud-only | n/a | | **Cloud-only** | n/a |
|Hybrid| Microsoft Entra Connect Sync| | **Hybrid** | Microsoft Entra Connect Sync|
|On-premises | Azure MFA server | | **On-premises** | Azure MFA server |
### Multifactor authentication ### Multifactor authentication
@ -154,9 +168,9 @@ The goal of Windows Hello for Business is to move organizations away from passwo
| Deployment model | MFA options | | Deployment model | MFA options |
|-|-| |-|-|
| Cloud-only | :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation| | **Cloud-only** | :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation|
|Hybrid| :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation <br><br> For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].| | **Hybrid** | :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation <br><br> For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].|
|On-premises | AD FS MFA adapter <br><br> For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1]. | | **On-premises** | AD FS MFA adapter <br><br> For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1]. |
#### MFA and federated authentication #### MFA and federated authentication
@ -185,23 +199,9 @@ Windows Hello for Business provides organizations with a rich set of granular po
| Deployment model | Device configuration options | | Deployment model | Device configuration options |
|-|-| |-|-|
| Cloud-only | CSP (MDM) <br> GPO (local) | | **Cloud-only** | CSP (MDM) <br> GPO (local) |
|Hybrid| CSP (MDM) <br> GPO (Active Directory or local) | | **Hybrid** | CSP (MDM) <br> GPO (Active Directory or local) |
|On-premises | GPO (Active Directory or local)| | **On-premises** | GPO (Active Directory or local)|
## Public Key Infrastructure (PKI)
While cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates, the other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication:
- Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate
- Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA
- Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources
| Deployment model | PKI |
|-|-|
| Cloud-only | not required |
|Hybrid| :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: required <br> :black_square_button: **Certificate trust**: required|
|On-premises | required |
## Licensing for cloud services ## Licensing for cloud services
@ -215,9 +215,9 @@ Here are some considerations regarding licensing requirements for cloud services
| Deployment model | Cloud services licenses (minimum) | | Deployment model | Cloud services licenses (minimum) |
|--|--| |--|--|
| Cloud-only | not required | | **Cloud-only** | not required |
| Hybrid | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: not required <br> :black_square_button: **Certificate trust**: Microsoft Entra ID P1 | | **Hybrid** | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: not required <br> :black_square_button: **Certificate trust**: Microsoft Entra ID P1 |
| On-premises | Azure MFA, if used as MFA solution | | **On-premises** | Azure MFA, if used as MFA solution |
## Windows requirements ## Windows requirements
@ -225,9 +225,9 @@ All supported Windows 10 and Windows 11 versions can be used with Windows Hello
| Deployment model | Windows version | | Deployment model | Windows version |
|--|--| |--|--|
| Cloud-only | All supported versions | | **Cloud-only** | All supported versions |
| Hybrid | :black_square_button: **Cloud Kerberos trust**: Windows 10 21H2, with [KB5010415][KB-1] and later; Windows 11 21H2, with [KB5010414][KB-2] and later <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions | | **Hybrid** | :black_square_button: **Cloud Kerberos trust**: Windows 10 21H2, with [KB5010415][KB-1] and later; Windows 11 21H2, with [KB5010414][KB-2] and later <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions |
| On-premises | All supported versions | | **On-premises** | All supported versions |
## Windows Server requirements ## Windows Server requirements
@ -235,9 +235,9 @@ All supported Windows Server versions can be used with Windows Hello for Busines
| Deployment model | Domain Controller OS version | | Deployment model | Domain Controller OS version |
|-|-|-| |-|-|-|
| Cloud-only | n/a | | **Cloud-only** | n/a |
|Hybrid| :black_square_button: **Cloud Kerberos trust**: Windows Server 2016, [KB3534307][KB-3]; Windows Server 2019, [KB4534321][KB-4], Windows Server 2022 <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions| | **Hybrid** | :black_square_button: **Cloud Kerberos trust**: Windows Server 2016, [KB3534307][KB-3]; Windows Server 2019, [KB4534321][KB-4], Windows Server 2022 <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions|
|On-premises | All supported versions | | **On-premises** | All supported versions |
## Prepare users to use Windows Hello ## Prepare users to use Windows Hello
@ -258,16 +258,6 @@ Although the organization might require users to change their Active Directory o
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d] > [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d]
## Requirements table
## Full table
| Deployment model | Trust type | Authentication options | Device/Key registration IdP | Directory sync options | MFA | Device configuration | PKI | Licensing | Windows | DC OS version |
|--|--|--|--|--|--|--|--|--|--|--|
| :black_square_button: Cloud-only | n/a | :black_square_button: **Non-federated**<br> :black_square_button: **Federated** | Microsoft Entra ID | n/a | :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation | CSP (MDM) <br> GPO (local) | not required | not required | All supported versions | n/a |
| :black_square_button: Hybrid | :black_square_button: **Cloud Kerberos trust** <br> :black_square_button: **Key trust** <br> :black_square_button: **Certificate trust** | :black_square_button: **Non-federated**<br>&tab; :black_square_button: **Cloud Kerberos trust** requires Microsoft Entra Kerberos<br>&tab; :black_square_button: **Key trust** requires [Password hash synchronization (PHS)][ENTRA-6] or [Microsoft Entra pass-through authentication (PTA)][ENTRA-7]<br><br> :black_square_button: **Federated**: federated authentication requires AD FS or a third-party federation service<br>&tab; :black_square_button: **Certificate trust** doesn't support [PTA][ENTRA-7] or [(PHS)][ENTRA-6]. Active Directory must be federated with Microsoft Entra ID using AD FS. Additionally, you must configure your AD FS farm to support Microsoft Entra registered devices | Microsoft Entra ID | Microsoft Entra Connect Sync | :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation | CSP (MDM) <br> GPO (Active Directory or local) | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: required <br> :black_square_button: **Certificate trust**: required | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: not required <br> :black_square_button: **Certificate trust**: Microsoft Entra ID P1 | :black_square_button: **Cloud Kerberos trust**: Windows 10 21H2, with [KB5010415][KB-1] and later; Windows 11 21H2, with [KB5010414][KB-2] and later <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions | :black_square_button: **Cloud Kerberos trust**: Windows Server 2016, [KB3534307][KB-3]; Windows Server 2019, [KB4534321][KB-4], Windows Server 2022 <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions |
| :black_square_button: On-premises | :black_square_button: **Key trust** <br> :black_square_button: **Certificate trust** | n/a | AD FS | Azure MFA server | AD FS MFA adapter | GPO (Active Directory or local) | required | Azure MFA, if used as MFA solution | All supported versions | All supported versions |
## Next steps ## Next steps
Now that you've read about the different deployment options and requirements, you can choose the implementation that best suits your organization. Now that you've read about the different deployment options and requirements, you can choose the implementation that best suits your organization.