mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 12:23:37 +00:00
add key trust RDP info
This commit is contained in:
Mapalko
@ -52,6 +52,9 @@ The trust model determines how you want users to authenticate to the on-premises
|
|||||||
* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
|
* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
|
||||||
* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
|
* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
>RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this time.
|
||||||
|
|
||||||
Following are the various deployment guides included in this topic:
|
Following are the various deployment guides included in this topic:
|
||||||
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
|
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
|
||||||
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
|
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
|
||||||
|
|||||||
@ -27,6 +27,9 @@ Windows Hello for Business is the modern, two-factor credential for Windows 10.
|
|||||||
## What about convenience PIN?
|
## What about convenience PIN?
|
||||||
Microsoft is committed to its vision of a <u>world without passwords.</u> We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
|
Microsoft is committed to its vision of a <u>world without passwords.</u> We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
|
||||||
|
|
||||||
|
## Can I use Windows Hello for Business key trust and RDP?
|
||||||
|
RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments.
|
||||||
|
|
||||||
## Can I deploy Windows Hello for Business using System Center Configuration Manager?
|
## Can I deploy Windows Hello for Business using System Center Configuration Manager?
|
||||||
Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018.
|
Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018.
|
||||||
|
|
||||||
|
|||||||
@ -92,7 +92,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
|
|||||||
|
|
||||||
## Comparing key-based and certificate-based authentication
|
## Comparing key-based and certificate-based authentication
|
||||||
|
|
||||||
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
|
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
|
||||||
|
|
||||||
|
Windows Hello for Business with a key does not support RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments.
|
||||||
|
|
||||||
|
|
||||||
## Learn more
|
## Learn more
|
||||||
|
|||||||
@ -80,6 +80,9 @@ The key trust type does not require issuing authentication certificates to end u
|
|||||||
|
|
||||||
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
|
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
>RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this tim
|
||||||
|
|
||||||
#### Device registration
|
#### Device registration
|
||||||
|
|
||||||
All devices included in the Windows Hello for Business deployment must go through device registration. Device registration enables devices to authenticate to identity providers. For cloud only and hybrid deployment, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
|
All devices included in the Windows Hello for Business deployment must go through device registration. Device registration enables devices to authenticate to identity providers. For cloud only and hybrid deployment, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
|
||||||
|
|||||||
Reference in New Issue
Block a user