diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index da22ec83f2..61cba05549 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -8172,7 +8172,7 @@ }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md", - "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll", + "redirect_url": "/windows/security/identity-protection/hello-for-business/how-it-works#provisioning", "redirect_document_id": false }, { diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md index 87250d1fa9..fb493c8800 100644 --- a/windows/security/identity-protection/hello-for-business/how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works.md @@ -96,7 +96,16 @@ For detailed sequence diagrams, see [how device registration works][ENTRA-4]. :::row-end::: > [!NOTE] -> The list of prerequisites varies depending on the deployment type, as described in the article [Plan a Windows Hello for Business deployment](deploy/index.md). +> +> Depending on the deployment type, Windows Hello for Business provisioning is launched only if: +> +> - The device meets the Windows Hello hardware requirements +> - The device is joined to Active Directory or Microsoft Entra ID +> - The user signs in with an account defined in Active Directory or Microsoft Entra ID +> - The Windows Hello for Business policy is enabled +> - The user is not connected to the machine via Remote Desktop +> +> Additional prerequisites for specific deployment types are described in the article [Plan a Windows Hello for Business deployment](deploy/index.md). During the provisioning phase, a *Windows Hello container* is created. A Windows Hello container is a logical grouping of *key material*, or data. The container holds organization's credentials only on devices that are *registered* with the organization's IdP.