mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
Merge pull request #9227 from MicrosoftDocs/main
Publish main to live 12/15/2023, 3:30 PM
This commit is contained in:
Gary Moore
GitHub
commit
677cc64d97
@ -194,6 +194,11 @@
|
||||
"source_path": "education/windows/chromebook-migration-guide.md",
|
||||
"redirect_url": "/education/windows",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "education/windows/autopilot-reset.md",
|
||||
"redirect_url": "/autopilot/windows-autopilot-reset",
|
||||
"redirect_document_id": false
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@ -8064,6 +8064,56 @@
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md",
|
||||
"redirect_url": "/windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki",
|
||||
"redirect_document_id": false
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -1,101 +0,0 @@
|
||||
---
|
||||
title: Reset devices with Autopilot Reset
|
||||
description: Learn about Autopilot Reset and how to enable and use it.
|
||||
ms.date: 08/10/2022
|
||||
ms.topic: how-to
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
|
||||
---
|
||||
|
||||
# Reset devices with Autopilot Reset
|
||||
|
||||
IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Microsoft Entra ID and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
|
||||
|
||||
To enable Autopilot Reset, you must:
|
||||
|
||||
1. [Enable the policy for the feature](#enable-autopilot-reset)
|
||||
2. [Trigger a reset for each device](#trigger-autopilot-reset)
|
||||
|
||||
## Enable Autopilot Reset
|
||||
|
||||
To use Autopilot Reset, Windows Recovery Environment (WinRE) must be enabled on the device.
|
||||
|
||||
**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It's a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This setting ensures that Autopilot Reset isn't triggered by accident.
|
||||
|
||||
You can set the policy using one of these methods:
|
||||
|
||||
- MDM provider
|
||||
|
||||
Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
|
||||
|
||||
For example, in Intune, create a new configuration policy and add an OMA-URI.
|
||||
- OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
|
||||
- Data type: Integer
|
||||
- Value: 0
|
||||
|
||||
- Windows Configuration Designer
|
||||
|
||||
You can [use Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
|
||||
|
||||
- Set up School PCs app
|
||||
|
||||
Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you're running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways:
|
||||
|
||||
- Reach out to your device manufacturer.
|
||||
|
||||
- If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you're using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
|
||||
|
||||
- Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709.
|
||||
|
||||
To use the Autopilot Reset setting in the Set up School PCs app:
|
||||
|
||||
- When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
|
||||
|
||||
|
||||
|
||||
## Trigger Autopilot Reset
|
||||
|
||||
Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
|
||||
|
||||
To trigger Autopilot Reset:
|
||||
|
||||
1. From the Windows device lock screen, enter the keystroke: <kbd>CTRL</kbd> + <kbd>WIN</kbd> + <kbd>R</kbd>.
|
||||
|
||||
|
||||
|
||||
This keystroke opens up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
|
||||
|
||||
1. Confirm/verify that the end user has the right to trigger Autopilot Reset
|
||||
1. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
|
||||
|
||||
|
||||
|
||||
1. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
|
||||
|
||||
Once Autopilot Reset is triggered, the reset process starts.
|
||||
|
||||
After reset, the device:
|
||||
|
||||
- Sets the region, language, and keyboard
|
||||
- Connects to Wi-Fi
|
||||
- If you provided a provisioning package when Autopilot Reset is triggered, the system applies this new provisioning package. Otherwise, the system reapplies the original provisioning package on the device
|
||||
- Is returned to a known good managed state, connected to Microsoft Entra ID and MDM.
|
||||
|
||||
|
||||
|
||||
Once provisioning is complete, the device is again ready for use.
|
||||
|
||||
## Troubleshoot Autopilot Reset
|
||||
|
||||
Autopilot Reset fails when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. The error code is: `ERROR_NOT_SUPPORTED (0x80070032)`.
|
||||
|
||||
To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
|
||||
|
||||
```cmd
|
||||
reagentc.exe /enable
|
||||
```
|
||||
|
||||
If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, kindly contact [Microsoft Support](https://support.microsoft.com) for assistance.
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 19 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 528 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 26 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 29 KiB |
@ -56,8 +56,6 @@ items:
|
||||
href: use-set-up-school-pcs-app.md
|
||||
- name: Upgrade Windows Home to Windows Education on student-owned devices
|
||||
href: change-home-to-edu.md
|
||||
- name: Reset devices with Autopilot Reset
|
||||
href: autopilot-reset.md
|
||||
- name: Reference
|
||||
items:
|
||||
- name: Set up School PCs
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure Active Directory Federation Services in a hybrid certificate trust model
|
||||
description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business hybrid certificate trust model.
|
||||
ms.date: 01/03/2023
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
@ -10,9 +10,10 @@ appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
# Configure Active Directory Federation Services - hybrid certificate trust
|
||||
|
||||
[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust.md)]
|
||||
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
|
||||
|
||||
The Windows Hello for Business certificate-based deployments use AD FS as the certificate registration authority (CRA).
|
||||
The CRA is responsible for issuing and revoking certificates to users. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.\
|
||||
@ -80,4 +81,4 @@ Before moving to the next section, ensure the following steps are complete:
|
||||
> - Update group memberships for the AD FS service account
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision)
|
||||
> [Next: configure policy settings >](hybrid-cert-trust-enroll.md)
|
||||
@ -1,19 +1,25 @@
|
||||
---
|
||||
title: Windows Hello for Business hybrid certificate trust clients configuration and enrollment
|
||||
title: Configure and provision Windows Hello for Business in a hybrid certificate trust model
|
||||
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
ms.date: 01/03/2023
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
# Configure and provision Windows Hello for Business - hybrid certificate trust
|
||||
|
||||
[!INCLUDE [hello-hybrid-certificate-trust](./includes/hello-hybrid-cert-trust.md)]
|
||||
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
|
||||
|
||||
## Policy Configuration
|
||||
|
||||
After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
|
||||
|
||||
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
|
||||
# [:::image type="icon" source="../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The information in this section applies to Microsoft Entra hybrid joined devices only.
|
||||
@ -41,7 +47,7 @@ Windows Hello for Business provisioning performs the initial enrollment of the W
|
||||
|
||||
The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
|
||||
|
||||
### Enable and configure Windows Hello for Business
|
||||
### Enable and configure Windows Hello for Business with group policy
|
||||
|
||||
Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
|
||||
|
||||
@ -64,8 +70,8 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
|
||||
>
|
||||
> For more information about these policies, see [Group Policy settings for Windows Hello for Business](hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
|
||||
>
|
||||
> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
|
||||
|
||||
### Configure security for GPO
|
||||
|
||||
@ -90,14 +96,15 @@ The application of Group Policy object uses security group filtering. This solut
|
||||
|
||||
Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
|
||||
|
||||
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
|
||||
# [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
|
||||
|
||||
## Configure Windows Hello for Business using Microsoft Intune
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The information in this section applies to Microsoft Entra joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in:
|
||||
> - [Configure single sign-on for Microsoft Entra joined devices](hello-hybrid-aadj-sso.md)
|
||||
> - [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
|
||||
>
|
||||
> - [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
|
||||
> - [Using Certificates for AADJ On-premises Single-sign On](../hello-hybrid-aadj-sso-cert.md)
|
||||
|
||||
For Microsoft Entra joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
|
||||
|
||||
@ -122,7 +129,7 @@ To check the Windows Hello for Business policy applied at enrollment time:
|
||||
1. Select **Windows Hello for Business**
|
||||
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
|
||||
|
||||
:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
|
||||
:::image type="content" source="../images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="../images/whfb-intune-disable.png":::
|
||||
|
||||
If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
|
||||
|
||||
@ -138,14 +145,14 @@ To configure Windows Hello for Business using an *account protection* policy:
|
||||
1. Specify a **Name** and, optionally, a **Description** > **Next**
|
||||
1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
|
||||
- These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
|
||||
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
|
||||
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
|
||||
1. Under *Enable to certificate for on-premises resources*, select **YES**
|
||||
1. Select **Next**
|
||||
1. Optionally, add *scope tags* > **Next**
|
||||
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
|
||||
1. Review the policy configuration and select **Create**
|
||||
|
||||
:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
|
||||
:::image type="content" source="../images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="../images/whfb-intune-account-protection-cert-enable.png":::
|
||||
|
||||
---
|
||||
|
||||
@ -165,12 +172,12 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
|
||||
1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
|
||||
1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
|
||||
|
||||
:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
|
||||
:::image type="content" source="../images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
|
||||
>
|
||||
> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval.
|
||||
>
|
||||
> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval.
|
||||
> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
|
||||
> Read [Microsoft Entra Connect Sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
|
||||
>
|
||||
@ -188,7 +195,6 @@ The certificate authority validates the certificate was signed by the registrati
|
||||
|
||||
<!--links-->
|
||||
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
|
||||
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
|
||||
|
||||
[MEM-1]: /mem/intune/configuration/settings-catalog
|
||||
[MEM-2]: /mem/intune/protect/security-baselines
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure and validate the Public Key Infrastructure in an hybrid certificate trust model
|
||||
title: Configure and validate the PKI in an hybrid certificate trust model
|
||||
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
|
||||
ms.date: 01/03/2023
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
@ -10,35 +10,36 @@ appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
# Configure and validate the Public Key Infrastructure - hybrid certificate trust
|
||||
# Configure and validate the PKI in an hybrid certificate trust model
|
||||
|
||||
[!INCLUDE [hello-hybrid-cert-trust](./includes/hello-hybrid-cert-trust.md)]
|
||||
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
|
||||
|
||||
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
|
||||
|
||||
Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
|
||||
|
||||
[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
|
||||
[!INCLUDE [lab-based-pki-deploy](../includes/lab-based-pki-deploy.md)]
|
||||
|
||||
## Configure the enterprise PKI
|
||||
|
||||
[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
|
||||
[!INCLUDE [dc-certificate-template](../includes/dc-certificate-template.md)]
|
||||
|
||||
> [!NOTE]
|
||||
> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
|
||||
>
|
||||
> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
|
||||
> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
|
||||
|
||||
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
|
||||
[!INCLUDE [dc-certificate-template-supersede](../includes/dc-certificate-supersede.md)]
|
||||
|
||||
[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
|
||||
[!INCLUDE [enrollment-agent-certificate-template](../includes/enrollment-agent-certificate-template.md)]
|
||||
|
||||
[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
|
||||
[!INCLUDE [auth-certificate-template](../includes/auth-certificate-template.md)]
|
||||
|
||||
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
|
||||
[!INCLUDE [unpublish-superseded-templates](../includes/unpublish-superseded-templates.md)]
|
||||
|
||||
### Publish the certificate templates to the CA
|
||||
|
||||
@ -54,21 +55,21 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
|
||||
1. Close the console
|
||||
|
||||
> [!IMPORTANT]
|
||||
> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
|
||||
> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md).
|
||||
|
||||
## Configure and deploy certificates to domain controllers
|
||||
|
||||
[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
|
||||
[!INCLUDE [dc-certificate-deployment](../includes/dc-certificate-deployment.md)]
|
||||
|
||||
## Validate the configuration
|
||||
|
||||
[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
|
||||
[!INCLUDE [dc-certificate-validate](../includes/dc-certificate-validate.md)]
|
||||
|
||||
## Section review and next steps
|
||||
|
||||
Before moving to the next section, ensure the following steps are complete:
|
||||
|
||||
> [!div class="checklist"]
|
||||
> Before moving to the next section, ensure the following steps are complete:
|
||||
>
|
||||
> - Configure domain controller certificates
|
||||
> - Supersede existing domain controller certificates
|
||||
> - Unpublish superseded certificate templates
|
||||
@ -79,7 +80,6 @@ Before moving to the next section, ensure the following steps are complete:
|
||||
> - Validate the domain controllers configuration
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
|
||||
> [Next: configure AD FS >](hybrid-cert-trust-adfs.md)
|
||||
|
||||
<!--links-->
|
||||
[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
|
||||
@ -1,39 +1,40 @@
|
||||
---
|
||||
title: Windows Hello for Business hybrid certificate trust deployment
|
||||
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
ms.date: 03/16/2023
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: how-to
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
# Hybrid certificate trust deployment
|
||||
|
||||
[!INCLUDE [hello-hybrid-cert-trust](./includes/hello-hybrid-cert-trust.md)]
|
||||
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
|
||||
|
||||
Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
|
||||
|
||||
This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md).
|
||||
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hello-hybrid-cloud-kerberos-trust.md).
|
||||
|
||||
It's recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
|
||||
It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
|
||||
|
||||
## Prerequisites
|
||||
The following prerequisites must be met for a hybrid certificate trust deployment:
|
||||
|
||||
> [!div class="checklist"]
|
||||
> * Directories and directory synchronization
|
||||
> * Federated authentication to Microsoft Entra ID
|
||||
> * Device registration
|
||||
> * Public Key Infrastructure
|
||||
> * Multifactor authentication
|
||||
> * Device management
|
||||
> The following prerequisites must be met for a hybrid certificate trust deployment:
|
||||
>
|
||||
> - Directories and directory synchronization
|
||||
> - Federated authentication to Microsoft Entra ID
|
||||
> - Device registration
|
||||
> - Public Key Infrastructure
|
||||
> - Multifactor authentication
|
||||
> - Device management
|
||||
|
||||
### Directories and directory synchronization
|
||||
|
||||
@ -51,8 +52,6 @@ The hybrid-certificate trust deployment needs an *Microsoft Entra ID P1 or P2* s
|
||||
> [!IMPORTANT]
|
||||
> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
|
||||
|
||||
<a name='federated-authentication-to-azure-ad'></a>
|
||||
|
||||
### Federated authentication to Microsoft Entra ID
|
||||
|
||||
Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
|
||||
@ -91,8 +90,6 @@ The enterprise PKI and a certificate registration authority (CRA) are required t
|
||||
|
||||
During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.
|
||||
|
||||
<a name='multi-factor-authentication'></a>
|
||||
|
||||
### Multifactor authentication
|
||||
|
||||
The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
|
||||
@ -110,28 +107,23 @@ To configure Windows Hello for Business, devices can be configured through a mob
|
||||
|
||||
## Next steps
|
||||
|
||||
Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:
|
||||
|
||||
> [!div class="checklist"]
|
||||
> * Configure and validate the PKI
|
||||
> * Configure AD FS
|
||||
> * Configure Windows Hello for Business settings
|
||||
> * Provision Windows Hello for Business on Windows clients
|
||||
> * Configure single sign-on (SSO) for Microsoft Entra joined devices
|
||||
> Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:
|
||||
>
|
||||
> - Configure and validate the PKI
|
||||
> - Configure AD FS
|
||||
> - Configure Windows Hello for Business settings
|
||||
> - Provision Windows Hello for Business on Windows clients
|
||||
> - Configure single sign-on (SSO) for Microsoft Entra joined devices
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-cert-trust-validate-pki.md)
|
||||
> [Next: configure and validate the Public Key Infrastructure >](hybrid-cert-trust-pki.md)
|
||||
|
||||
<!--links-->
|
||||
[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
|
||||
[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication
|
||||
[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next
|
||||
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
|
||||
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
|
||||
[AZ-6]: /azure/active-directory/hybrid/whatis-phs
|
||||
[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
|
||||
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
|
||||
[AZ-9]: /azure/active-directory/devices/hybrid-azuread-join-federated-domains
|
||||
[AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains
|
||||
[AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual
|
||||
|
||||
@ -0,0 +1,10 @@
|
||||
---
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](../../includes/hello-deployment-hybrid.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
|
||||
- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)]
|
||||
---
|
||||
@ -0,0 +1,10 @@
|
||||
---
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](../../includes/hello-deployment-hybrid.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
|
||||
- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](../../includes/hello-join-hybrid.md)]
|
||||
---
|
||||
@ -0,0 +1,10 @@
|
||||
---
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](../../includes/hello-deployment-onpremises.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
|
||||
- **Join type:** [!INCLUDE [hello-join-domain](../../includes/hello-join-domain.md)]
|
||||
---
|
||||
@ -0,0 +1,6 @@
|
||||
---
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[certificate trust :::image type="icon" source="../../../../images/icons/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model
|
||||
description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model.
|
||||
ms.date: 09/07/2023
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
@ -10,9 +10,10 @@ appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
# Prepare and deploy Active Directory Federation Services - on-premises certificate trust
|
||||
|
||||
[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
|
||||
[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
|
||||
|
||||
Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*.
|
||||
|
||||
@ -29,6 +30,7 @@ Prepare the AD FS deployment by installing and **updating** two Windows Servers.
|
||||
Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
|
||||
|
||||
The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm:
|
||||
|
||||
- **Subject Name**: the internal FQDN of the federation server
|
||||
- **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*)
|
||||
|
||||
@ -50,7 +52,7 @@ Sign-in the federation server with *domain administrator* equivalent credentials
|
||||
1. Select **Next** on the **Select Certificate Enrollment Policy** page
|
||||
1. On the **Request Certificates** page, select the **Internal Web Server** check box
|
||||
1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
|
||||
:::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
|
||||
:::image type="content" source="../images/hello-internal-web-server-cert.png" lightbox="../images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
|
||||
1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
|
||||
1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
|
||||
1. Select **Enroll**
|
||||
@ -159,11 +161,11 @@ Sign-in to the federation server with *Enterprise Administrator* equivalent cred
|
||||
1. In the details pane, select **Configure device registration**
|
||||
1. In the **Configure Device Registration** dialog, Select **OK**
|
||||
|
||||
:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
|
||||
:::image type="content" source="../images/adfs-device-registration.png" lightbox="../images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
|
||||
|
||||
Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
|
||||
|
||||
:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
|
||||
:::image type="content" source="../images/adfs-scp.png" lightbox="../images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
|
||||
|
||||
## Review to validate the AD FS and Active Directory configuration
|
||||
|
||||
@ -318,4 +320,4 @@ Each file in this folder represents a certificate in the service account's Perso
|
||||
For detailed information about the certificate, use `Certutil -q -v <certificateThumbprintFileName>`.
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md)
|
||||
> [Next: validate and deploy multi-factor authentication (MFA) >](on-premises-cert-trust-mfa.md)
|
||||
@ -1,14 +1,22 @@
|
||||
---
|
||||
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
|
||||
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
|
||||
ms.date: 09/07/2023
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
# Configure Windows Hello for Business group policy settings - on-premises certificate Trust
|
||||
|
||||
[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
|
||||
[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
|
||||
|
||||
On-premises certificate-based deployments of Windows Hello for Business need three Group Policy settings:
|
||||
|
||||
- Enable Windows Hello for Business
|
||||
- Use certificate for on-premises authentication
|
||||
- Enable automatic enrollment of certificates
|
||||
@ -72,7 +80,7 @@ The application of the Windows Hello for Business Group Policy object uses secur
|
||||
|
||||
## Other Related Group Policy settings
|
||||
|
||||
There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings.
|
||||
There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings.
|
||||
|
||||
### Use a hardware security device
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
|
||||
description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
|
||||
ms.date: 09/07/2023
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
@ -13,7 +13,7 @@ ms.topic: tutorial
|
||||
|
||||
# Validate and deploy multifactor authentication - on-premises certificate trust
|
||||
|
||||
[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
|
||||
[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
|
||||
|
||||
Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
|
||||
|
||||
@ -28,4 +28,4 @@ For information about third-party authentication methods, see [Configure Additio
|
||||
Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
|
||||
> [Next: configure Windows Hello for Business Policy settings >](on-premises-cert-trust-enroll.md)
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model
|
||||
description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model.
|
||||
ms.date: 09/07/2023
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
@ -10,27 +10,28 @@ appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
# Configure and validate the Public Key Infrastructure - on-premises certificate trust
|
||||
|
||||
[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
|
||||
[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
|
||||
|
||||
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
|
||||
|
||||
[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
|
||||
[!INCLUDE [lab-based-pki-deploy](../includes/lab-based-pki-deploy.md)]
|
||||
|
||||
## Configure the enterprise PKI
|
||||
|
||||
[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
|
||||
[!INCLUDE [dc-certificate-template](../includes/dc-certificate-template.md)]
|
||||
|
||||
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
|
||||
[!INCLUDE [dc-certificate-template-supersede](../includes/dc-certificate-supersede.md)]
|
||||
|
||||
[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
|
||||
[!INCLUDE [web-server-certificate-template](../includes/web-server-certificate-template.md)]
|
||||
|
||||
[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
|
||||
[!INCLUDE [enrollment-agent-certificate-template](../includes/enrollment-agent-certificate-template.md)]
|
||||
|
||||
[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
|
||||
[!INCLUDE [auth-certificate-template](../includes/auth-certificate-template.md)]
|
||||
|
||||
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
|
||||
[!INCLUDE [unpublish-superseded-templates](../includes/unpublish-superseded-templates.md)]
|
||||
|
||||
### Publish certificate templates to the CA
|
||||
|
||||
@ -49,11 +50,11 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
|
||||
|
||||
## Configure and deploy certificates to domain controllers
|
||||
|
||||
[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
|
||||
[!INCLUDE [dc-certificate-deployment](../includes/dc-certificate-deployment.md)]
|
||||
|
||||
## Validate the configuration
|
||||
|
||||
[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
|
||||
[!INCLUDE [dc-certificate-validate](../includes/dc-certificate-validate.md)]
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: prepare and deploy AD FS >](hello-cert-trust-adfs.md)
|
||||
> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md)
|
||||
@ -0,0 +1,43 @@
|
||||
---
|
||||
title: Deployment guide for the on-premises certificate trust model
|
||||
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
|
||||
ms.date: 12/15/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
|
||||
# Deployment guide for the on-premises certificate trust model
|
||||
|
||||
[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
|
||||
|
||||
Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment.
|
||||
|
||||
There are four steps to deploying Windows Hello for Business in an on-premises certificate trust model:
|
||||
|
||||
1. [Validate and configure a PKI](on-premises-cert-trust-pki.md)
|
||||
1. [Prepare and deploy AD FS](on-premises-cert-trust-adfs.md)
|
||||
1. [Validate and deploy multi-factor authentication (MFA)](on-premises-cert-trust-mfa.md)
|
||||
1. [Configure Windows Hello for Business Policy settings](on-premises-cert-trust-enroll.md)
|
||||
|
||||
## Create the Windows Hello for Business Users security group
|
||||
|
||||
While this is not a required step, it is recommended to create a security group to simplify the deployment.
|
||||
|
||||
The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign certificate templates and group policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
|
||||
|
||||
Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
|
||||
|
||||
1. Open **Active Directory Users and Computers**
|
||||
1. Select **View > Advanced Features**
|
||||
1. Expand the domain node from the navigation pane
|
||||
1. Right-click the **Users** container. Select **New > Group**
|
||||
1. Type *Windows Hello for Business Users* in the **Group Name**
|
||||
1. Select **OK**
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: validate and configure a PKI >](on-premises-cert-trust-pki.md)
|
||||
@ -0,0 +1,79 @@
|
||||
items:
|
||||
- name: Windows Hello for Business deployment overview
|
||||
href: ../hello-deployment-guide.md
|
||||
- name: Planning a Windows Hello for Business deployment
|
||||
href: ../hello-planning-guide.md
|
||||
- name: Deployment prerequisite overview
|
||||
href: ../hello-identity-verification.md
|
||||
- name: Cloud-only deployment
|
||||
href: ../hello-aad-join-cloud-only-deploy.md
|
||||
- name: Hybrid deployments
|
||||
items:
|
||||
- name: Cloud Kerberos trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: ../hello-hybrid-cloud-kerberos-trust.md
|
||||
displayName: cloud Kerberos trust
|
||||
- name: Configure and provision Windows Hello for Business
|
||||
href: ../hello-hybrid-cloud-kerberos-trust-provision.md
|
||||
displayName: cloud Kerberos trust
|
||||
- name: Key trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: ../hello-hybrid-key-trust.md
|
||||
displayName: key trust
|
||||
- name: Configure and validate the PKI
|
||||
href: ../hello-hybrid-key-trust-validate-pki.md
|
||||
displayName: key trust
|
||||
- name: Configure and provision Windows Hello for Business
|
||||
href: ../hello-hybrid-key-trust-provision.md
|
||||
displayName: key trust
|
||||
- name: Configure SSO for Microsoft Entra joined devices
|
||||
href: ../hello-hybrid-aadj-sso.md
|
||||
displayName: key trust
|
||||
- name: Certificate trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: hybrid-cert-trust.md
|
||||
displayName: certificate trust
|
||||
- name: Configure and validate Public Key Infrastructure (PKI)
|
||||
href: hybrid-cert-trust-pki.md
|
||||
displayName: certificate trust
|
||||
- name: Configure AD FS
|
||||
href: hybrid-cert-trust-adfs.md
|
||||
displayName: certificate trust
|
||||
- name: Configure and enroll in Windows Hello for Business
|
||||
href: hybrid-cert-trust-enroll.md
|
||||
displayName: certificate trust
|
||||
- name: Configure SSO for Microsoft Entra joined devices
|
||||
href: ../hello-hybrid-aadj-sso.md
|
||||
displayName: certificate trust
|
||||
- name: Deploy certificates to Microsoft Entra joined devices
|
||||
href: ../hello-hybrid-aadj-sso-cert.md
|
||||
displayName: certificate trust
|
||||
- name: On-premises deployments
|
||||
items:
|
||||
- name: Key trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: ../hello-deployment-key-trust.md
|
||||
- name: Configure and validate the PKI
|
||||
href: ../hello-key-trust-validate-pki.md
|
||||
- name: Prepare and deploy Active Directory Federation Services (AD FS)
|
||||
href: ../hello-key-trust-adfs.md
|
||||
- name: Validate and deploy multi-factor authentication (MFA) services
|
||||
href: ../hello-key-trust-validate-deploy-mfa.md
|
||||
- name: Configure Windows Hello for Business policy settings
|
||||
href: ../hello-key-trust-policy-settings.md
|
||||
- name: Certificate trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: on-premises-cert-trust.md
|
||||
- name: Configure and validate Public Key Infrastructure (PKI)
|
||||
href: on-premises-cert-trust-pki.md
|
||||
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
|
||||
href: on-premises-cert-trust-adfs.md
|
||||
- name: Validate and deploy multi-factor authentication (MFA)
|
||||
href: on-premises-cert-trust-mfa.md
|
||||
- name: Configure and enroll in Windows Hello for Business
|
||||
href: on-premises-cert-trust-enroll.md
|
||||
@ -1,33 +0,0 @@
|
||||
---
|
||||
title: Validate Active Directory prerequisites in an on-premises certificate trust
|
||||
description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model.
|
||||
ms.date: 09/07/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
# Validate Active Directory prerequisites - on-premises certificate trust
|
||||
|
||||
[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
|
||||
|
||||
The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
|
||||
|
||||
## Create the Windows Hello for Business Users security group
|
||||
|
||||
The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
|
||||
|
||||
Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
|
||||
|
||||
1. Open **Active Directory Users and Computers**
|
||||
1. Select **View > Advanced Features**
|
||||
1. Expand the domain node from the navigation pane
|
||||
1. Right-click the **Users** container. Select **New > Group**
|
||||
1. Type *Windows Hello for Business Users* in the **Group Name**
|
||||
1. Select **OK**
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: validate and configure PKI >](hello-cert-trust-validate-pki.md)
|
||||
@ -1,23 +0,0 @@
|
||||
---
|
||||
title: Windows Hello for Business deployment guide for the on-premises certificate trust model
|
||||
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
|
||||
ms.date: 09/07/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
ms.topic: tutorial
|
||||
---
|
||||
# Deployment guide overview - on-premises certificate trust
|
||||
|
||||
[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
|
||||
|
||||
Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:
|
||||
|
||||
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
|
||||
2. [Validate and configure a PKI](hello-cert-trust-validate-pki.md)
|
||||
3. [Prepare and deploy AD FS](hello-cert-trust-adfs.md)
|
||||
4. [Validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md)
|
||||
5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
|
||||
@ -50,12 +50,12 @@ Following are the various deployment guides and models included in this topic:
|
||||
|
||||
- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
|
||||
- [Microsoft Entra hybrid joined Key Trust Deployment](hello-hybrid-key-trust.md)
|
||||
- [Microsoft Entra hybrid joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
|
||||
- [Microsoft Entra hybrid joined Certificate Trust Deployment](deploy/hybrid-cert-trust.md)
|
||||
- [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
|
||||
- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
|
||||
- [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
|
||||
- [On Premises Certificate Trust Deployment](deploy/on-premises-cert-trust.md)
|
||||
|
||||
For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
|
||||
For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
|
||||
|
||||
## Provisioning
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.topic: how-to
|
||||
|
||||
# Using Certificates for AADJ On-premises Single-sign On
|
||||
|
||||
[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust-aad.md)]
|
||||
[!INCLUDE [apply-to-hybrid-cert-trust-entra](deploy/includes/apply-to-hybrid-cert-trust-entra.md)]
|
||||
|
||||
If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Microsoft Entra joined devices.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/28/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/28/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
@ -30,4 +30,3 @@ However, the certificate template and the superseding of certificate templates i
|
||||
>To see all certificates in the NTAuth store, use the following command:
|
||||
>
|
||||
> `Certutil -viewstore -enterprise NTAuth`
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/28/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
@ -27,25 +27,14 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
|
||||
1. Open the **Certification Authority** management console
|
||||
1. Right-click **Certificate Templates > Manage**
|
||||
1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template**
|
||||
1. On the **Compatibility** tab:
|
||||
- Clear the **Show resulting changes** check box
|
||||
- Select **Windows Server 2016** from the **Certification Authority** list
|
||||
- Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
|
||||
1. On the **General** tab
|
||||
- Type *Domain Controller Authentication (Kerberos)* in Template display name
|
||||
- Adjust the validity and renewal period to meet your enterprise's needs
|
||||
> [!NOTE]
|
||||
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
|
||||
1. On the **Subject Name** tab:
|
||||
- Select the **Build from this Active Directory information** button if it isn't already selected
|
||||
- Select **None** from the **Subject name format** list
|
||||
- Select **DNS name** from the **Include this information in alternate subject** list
|
||||
- Clear all other items
|
||||
1. On the **Cryptography** tab:
|
||||
- Select **Key Storage Provider** from the **Provider Category** list
|
||||
- Select **RSA** from the **Algorithm name** list
|
||||
- Type *2048* in the **Minimum key size** text box
|
||||
- Select **SHA256** from the **Request hash** list
|
||||
1. Select **OK**
|
||||
1. Close the console
|
||||
1. Use the following table to configure the template:
|
||||
|
||||
| Tab Name | Configurations |
|
||||
| --- | --- |
|
||||
| *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul>|
|
||||
| *General* | <ul><li>Specify a **Template display name**, for example *Domain Controller Authentication (Kerberos)*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul>|
|
||||
| *Subject Name* | <ul><li>Select **Build from this Active Directory information**</li><li>Select **None** from the **Subject name format** list</li><li>Select **DNS name** from the **Include this information in alternate subject** list</li><li>Clear all other items</li></ul>|
|
||||
|*Cryptography*|<ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li>|
|
||||
|
||||
1. Select **OK** to finalize your changes and create the new template
|
||||
1. Close the console
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/28/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 01/03/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,10 +0,0 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[!INCLUDE [hello-intro](hello-intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
|
||||
- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)]
|
||||
- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)]
|
||||
---
|
||||
@ -1,10 +0,0 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[!INCLUDE [hello-intro](hello-intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
|
||||
- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)]
|
||||
- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
|
||||
---
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[!INCLUDE [hello-intro](hello-intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
|
||||
- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)], [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)]
|
||||
- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
|
||||
- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)]
|
||||
---
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,10 +0,0 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[!INCLUDE [hello-intro](hello-intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](hello-deployment-onpremises.md)]
|
||||
- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)]
|
||||
- **Join type:** [!INCLUDE [hello-join-domain](hello-join-domain.md)]
|
||||
---
|
||||
@ -1,6 +0,0 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[certificate trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 01/03/2023
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/28/2022
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
@ -15,4 +15,3 @@ Sign in to the CA or management workstation with *Enterprise Administrator* equi
|
||||
1. Expand the parent node from the navigation pane > **Certificate Templates**
|
||||
1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window
|
||||
1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 01/23/2023
|
||||
ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
@ -10,29 +10,18 @@ Windows clients communicate with AD FS via HTTPS. To meet this need, a *server a
|
||||
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
|
||||
|
||||
1. Open the **Certification Authority** management console
|
||||
1. Right-click **Certificate Templates** and select **Manage**
|
||||
1. Right-click **Certificate Templates > Manage**
|
||||
1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template**
|
||||
1. On the **Compatibility** tab:
|
||||
- Clear the **Show resulting changes** check box
|
||||
- Select **Windows Server 2016** from the **Certification Authority** list
|
||||
- Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
|
||||
1. On the **General** tab:
|
||||
- Type *Internal Web Server* in **Template display name**
|
||||
- Adjust the validity and renewal period to meet your enterprise's needs
|
||||
> [!NOTE]
|
||||
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
|
||||
1. On the **Request Handling** tab, select **Allow private key to be exported**
|
||||
1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected
|
||||
1. On the **Security** tab:
|
||||
- Select **Add**
|
||||
- Type **Domain Computers** in the **Enter the object names to select** box
|
||||
- Select **OK**
|
||||
- Select the **Allow** check box next to the **Enroll** permission
|
||||
1. On the **Cryptography** tab:
|
||||
- Select **Key Storage Provider** from the **Provider Category** list
|
||||
- Select **RSA** from the **Algorithm name** list
|
||||
- Type *2048* in the **Minimum key size** text box
|
||||
- Select **SHA256** from the **Request hash** list
|
||||
- Select **OK**
|
||||
1. Close the console
|
||||
1. Use the following table to configure the template:
|
||||
|
||||
| Tab Name | Configurations |
|
||||
| --- | --- |
|
||||
| *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul>|
|
||||
| *General* | <ul><li>Specify a **Template display name**, for example *Internal Web Server*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul>|
|
||||
| *Request Handling* | Select **Allow private key to be exported** |
|
||||
| *Subject Name* | Select **Supply in the request**|
|
||||
|*Security*|Add **Domain Computers** with **Enroll** access|
|
||||
|*Cryptography*|<ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li>|
|
||||
|
||||
1. Select **OK** to finalize your changes and create the new template
|
||||
1. Close the console
|
||||
|
||||
@ -11,89 +11,7 @@ items:
|
||||
- name: How Windows Hello for Business works
|
||||
href: hello-how-it-works.md
|
||||
- name: Deployment guides
|
||||
items:
|
||||
- name: Windows Hello for Business deployment overview
|
||||
href: hello-deployment-guide.md
|
||||
- name: Planning a Windows Hello for Business deployment
|
||||
href: hello-planning-guide.md
|
||||
- name: Deployment prerequisite overview
|
||||
href: hello-identity-verification.md
|
||||
- name: Cloud-only deployment
|
||||
href: hello-aad-join-cloud-only-deploy.md
|
||||
- name: Hybrid deployments
|
||||
items:
|
||||
- name: Cloud Kerberos trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: hello-hybrid-cloud-kerberos-trust.md
|
||||
displayName: cloud Kerberos trust
|
||||
- name: Configure and provision Windows Hello for Business
|
||||
href: hello-hybrid-cloud-kerberos-trust-provision.md
|
||||
displayName: cloud Kerberos trust
|
||||
- name: Key trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: hello-hybrid-key-trust.md
|
||||
displayName: key trust
|
||||
- name: Configure and validate the PKI
|
||||
href: hello-hybrid-key-trust-validate-pki.md
|
||||
displayName: key trust
|
||||
- name: Configure and provision Windows Hello for Business
|
||||
href: hello-hybrid-key-trust-provision.md
|
||||
displayName: key trust
|
||||
- name: Configure SSO for Microsoft Entra joined devices
|
||||
href: hello-hybrid-aadj-sso.md
|
||||
displayName: key trust
|
||||
- name: Certificate trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: hello-hybrid-cert-trust.md
|
||||
displayName: certificate trust
|
||||
- name: Configure and validate the PKI
|
||||
href: hello-hybrid-cert-trust-validate-pki.md
|
||||
displayName: certificate trust
|
||||
- name: Configure AD FS
|
||||
href: hello-hybrid-cert-whfb-settings-adfs.md
|
||||
displayName: certificate trust
|
||||
- name: Configure and provision Windows Hello for Business
|
||||
href: hello-hybrid-cert-whfb-provision.md
|
||||
displayName: certificate trust
|
||||
- name: Configure SSO for Microsoft Entra joined devices
|
||||
href: hello-hybrid-aadj-sso.md
|
||||
displayName: certificate trust
|
||||
- name: Deploy certificates to Microsoft Entra joined devices
|
||||
href: hello-hybrid-aadj-sso-cert.md
|
||||
displayName: certificate trust
|
||||
- name: On-premises deployments
|
||||
items:
|
||||
- name: Key trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: hello-deployment-key-trust.md
|
||||
- name: Validate Active Directory prerequisites
|
||||
href: hello-key-trust-validate-ad-prereq.md
|
||||
- name: Configure and validate the PKI
|
||||
href: hello-key-trust-validate-pki.md
|
||||
- name: Prepare and deploy Active Directory Federation Services (AD FS)
|
||||
href: hello-key-trust-adfs.md
|
||||
- name: Validate and deploy multi-factor authentication (MFA) services
|
||||
href: hello-key-trust-validate-deploy-mfa.md
|
||||
- name: Configure Windows Hello for Business policy settings
|
||||
href: hello-key-trust-policy-settings.md
|
||||
- name: Certificate trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: hello-deployment-cert-trust.md
|
||||
- name: Validate Active Directory prerequisites
|
||||
href: hello-cert-trust-validate-ad-prereq.md
|
||||
- name: Configure and validate Public Key Infrastructure (PKI)
|
||||
href: hello-cert-trust-validate-pki.md
|
||||
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
|
||||
href: hello-cert-trust-adfs.md
|
||||
- name: Validate and deploy multi-factor authentication (MFA) services
|
||||
href: hello-cert-trust-validate-deploy-mfa.md
|
||||
- name: Configure Windows Hello for Business policy settings
|
||||
href: hello-cert-trust-policy-settings.md
|
||||
href: deploy/toc.yml
|
||||
- name: How-to Guides
|
||||
items:
|
||||
- name: Prepare people to use Windows Hello
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user