deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-02-24 12:00:40 -05:00
parent 8708fdd5ed
commit 70fb39dfee
2 changed files with 26 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
View File

@ -29,16 +29,12 @@ After setting up the Azure AD Kerberos object, Windows Hello for business cloud
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
## Configure Windows Hello for Business using Microsoft Intune
For devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business.
There are different ways to enable and configure Windows Hello for Business in Intune:
- Using a policy applied at the tenant level. The tenant policy:
- Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
- It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Chose from the following policy types:
- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group
- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
- [Settings catalog][MEM-7]
- [Security baselines][MEM-2]
- [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
@ -49,7 +45,7 @@ There are different ways to enable and configure Windows Hello for Business in I
To check the Windows Hello for Business policy applied at enrollment time:
1. Sign in to the <a href="https://intune.microsoft.com/" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
@ -60,25 +56,25 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip
### Enable Windows Hello for Business
To configure Windows Hello for Business using an *account protection* policy:
To configure Windows Hello for Business using an account protection policy:
1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Select **Endpoint security** > **Account protection**
1. Select **+ Create Policy**
1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
1. For **Platform**, select **Windows 10 and later** and for **Profile* select **Account protection**
1. Select **Create**
1. Specify a **Name** and, optionally, a **Description** > **Next**
1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available
- These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
1. Under *Enable to certificate for on-premises resources*, select **Disabled** and multiple policies become available
1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available
1. Select **Next**
1. Optionally, add *scope tags* > **Next**
1. Optionally, add **scope tags** and select **Next**
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
> [!TIP]
> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Identity Protection template.
> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template.
:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
@ -86,14 +82,14 @@ Assign the policy to a security group that contains as members the devices or us
### Configure cloud Kerberos trust policy
The cloud Kerberos trust policy needs to be configured using a custom template, and is configured separately from enabling Windows Hello from Business.
The cloud Kerberos trust policy can be configured using a custom template, and is configured separately from enabling Windows Hello from Business.
To configure the cloud Kerberos trust policy:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
1. For Profile Type, select **Templates** and select the **Custom** Template.
1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**
1. For Profile Type, select **Templates** and select the **Custom** Template
1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust"
1. In Configuration Settings, add a new configuration with the following settings:
| Setting |
@ -135,12 +131,12 @@ You can configure Windows Hello for Business cloud Kerberos trust using a Group
1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**
1. Select **Use Windows Hello for Business** > **Enable** > **OK**
1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**
1. *Optional, but recommended*: select **Use a hardware security device** > **Enable** > **OK**
1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**
---
> [!IMPORTANT]
> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*.
> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured** or **disabled**.
## Provision Windows Hello for Business

11
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -10,7 +10,7 @@ ms.topic: tutorial
[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
## Introduction to cloud Kerberos trust
@ -19,7 +19,7 @@ The goal of Windows Hello for Business cloud Kerberos trust is to bring the simp
Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which enables a simpler deployment when compared to the *key trust model*:
- No need to deploy a public key infrastructure (PKI) or to change an existing PKI
- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. This means that there isn't delay between the user's WHFB provisioning and being able to authenticate to Active Directory
- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
- [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup
> [!NOTE]
@ -30,7 +30,7 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
@ -79,7 +79,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
> * Provision Windows Hello for Business on Windows clients
> [!div class="nextstepaction"]
> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md)
> [Next: **configure** and provision **Windows** Hello for **Business** >](hello-hybrid-cloud-kerberos-trust-provision.md)
<!--Links-->
@ -89,3 +89,6 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e
[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
**hello** you **there**