mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 04:43:37 +00:00
More content and style changes
This commit is contained in:
Mike Stephens
@ -6,7 +6,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: DaniHalfin
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
localizationpriority: high
|
||||
---
|
||||
@ -15,7 +15,7 @@ localizationpriority: high
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technolgies
|
||||
|
||||
@ -195,4 +195,4 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
|
||||
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. New Installation Baseline (*You are here*)
|
||||
4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
|
||||
5. Sign-in and Provision
|
||||
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
|
||||
@ -1,22 +1,22 @@
|
||||
---
|
||||
title: Validate Public Key Infrastructure (Windows Hello for Business)
|
||||
description: How to Validate Public Key Infrastructure for Windows Hello for Business
|
||||
keywords: identity, PIN, biometric, Hello, passport
|
||||
title: Hybrid Windows Hello for Business Prerequistes (Windows Hello for Business)
|
||||
description: Prerequisites for Hybrid Windows Hello for Business Deployments
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: DaniHalfin
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
localizationpriority: high
|
||||
---
|
||||
# Hybrid Certificate Trust Prerequisites
|
||||
# Hybrid Windows Hello for Business Prerequisites
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
|
||||
|
||||
@ -121,4 +121,4 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
|
||||
2. Prerequistes (*You are here*)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
|
||||
5. Sign-in and Provision
|
||||
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
|
||||
@ -15,7 +15,7 @@ localizationpriority: high
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
> This guide only applies to Windows 10, version 1703 or higher.
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
|
||||
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
@ -42,4 +42,4 @@ Regardless of the baseline you choose, you’re next step is to familiarize your
|
||||
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
|
||||
5. Sign-in and Provision
|
||||
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
|
||||
@ -0,0 +1,61 @@
|
||||
---
|
||||
title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business)
|
||||
description: Provisioning for Hybrid Windows Hello for Business Deployments
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
localizationpriority: high
|
||||
---
|
||||
# Hybrid Windows Hello for Business Provisioning
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
## Provisioning
|
||||
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
|
||||
|
||||
<Event358.png>
|
||||
|
||||
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **EnterpriseJoined** reads **Yes**.
|
||||
|
||||
<dsregcmd.png?
|
||||
|
||||
Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
|
||||
|
||||
<setupapin.png>
|
||||
|
||||
The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
|
||||
|
||||
<mfa.png>
|
||||
|
||||
After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment.
|
||||
|
||||
<createaPin.png>
|
||||
|
||||
The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
|
||||
* A successful single factor authentication (username and password at sign-in)
|
||||
* A device that has successfully completed device registration
|
||||
* A fresh, successful multi-factor authentication
|
||||
* A validated PIN that meets the PIN complexity requirements
|
||||
|
||||
The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has syncrhonized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use.
|
||||
|
||||
>[!NOTE]
|
||||
> Microsoft is actively investigating in ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time.
|
||||
|
||||
After a successfully key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.
|
||||
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
|
||||
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that provisioning is complete and they can immediately use their PIN to sign-in.
|
||||
<allset.png>
|
||||
|
||||
|
||||
@ -107,4 +107,4 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
|
||||
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
4. Configure Windows Hello for Business settings: Active Directory (*You are here*)
|
||||
5. Sign-in and Provision
|
||||
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
|
||||
@ -20,6 +20,11 @@ ms.author: mstephen
|
||||
>[!IMPORTANT]
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
>[!div class="step-by-step"]
|
||||
[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md)
|
||||
[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings-policy.md)
|
||||
|
||||
|
||||
The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
|
||||
|
||||
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
|
||||
@ -54,32 +59,23 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
|
||||
1. Open **Active Directory Users and Computers**.
|
||||
2. Click the **Users** container in the navigation pane.
|
||||
3. Right-click **KeyCredential Admins** in the details pane and click **Properties**.
|
||||
4. Click the **Members** tab and click **Add<EFBFBD>**
|
||||
4. Click the **Members** tab and click **Add**
|
||||
5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
|
||||
6. Click **OK** to return to **Active Directory Users and Computers**.
|
||||
7. Right-click **Windows Hello for Business Users** group
|
||||
8. Click the **Members** tab and click **Add<EFBFBD>**
|
||||
8. Click the **Members** tab and click **Add**
|
||||
9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
|
||||
10. Click **OK** to return to **Active Directory Users and Computers**.
|
||||
11. Change to server hosting the AD FS role and restart it.
|
||||
|
||||
### Section Review
|
||||
- [x] Active Directory
|
||||
- [x] Public Key Infrastructure
|
||||
- [x] Azure Active Directory
|
||||
- [x] Directory Synchronization
|
||||
- [x] Active Directory Federation Services
|
||||
- [x] Federation Services
|
||||
- [x] Federation Proxy Servers
|
||||
- [x] Multiple top-level domains
|
||||
- [x] Azure Device Registration
|
||||
- [x] Device Writeback
|
||||
- [x] Multifactor Authentication
|
||||
- [x] Windows Hello for Business
|
||||
- [x]Active Directory
|
||||
- [x] Directory Synchronization
|
||||
- [x] Public Key Infrastructure
|
||||
- [x] Federation Services
|
||||
- [ ] Group Policy
|
||||
- [ ] Sign-in and Provision
|
||||
<br>
|
||||
|
||||
<hr>
|
||||
|
||||
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
|
||||
1. [Overview](hello-hybrid-cert-trust.md)
|
||||
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
4. Configure Windows Hello for Business settings (*You are here*)
|
||||
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
|
||||
|
||||
|
||||
@ -10,13 +10,16 @@ localizationpriority: high
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
---
|
||||
# Configure Windows Hello for Business: Directory Synchronization
|
||||
# Configure Hybrid Windows Hello for Business: Directory Synchronization
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
## Directory Syncrhonization
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory.
|
||||
|
||||
The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
|
||||
|
||||
@ -11,7 +11,7 @@ author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
---
|
||||
|
||||
# Configure Windows Hello for Business: Public Key Infrastructure
|
||||
# Configure Hybrid Windows Hello for Business: Public Key Infrastructure
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
@ -190,5 +190,5 @@ Sign-in to the certificate authority or management workstation with _Enterprise
|
||||
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
4. Configure Windows Hello for Business settings: PKI (*You are here*)
|
||||
5. Sign-in and Provision
|
||||
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ localizationpriority: high
|
||||
author: mikestephens-MS
|
||||
ms.author: mstephen
|
||||
---
|
||||
# Configure Windows Hello for Business: Group Policy
|
||||
# Configure Hybrid Windows Hello for Business: Group Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -45,4 +45,4 @@ For the most efficent deployment, configure these technologies in order beginnin
|
||||
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
4. Configure Windows Hello for Business settings (*You are here*)
|
||||
5. Sign-in and Provision
|
||||
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
|
||||
Reference in New Issue
Block a user