diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 9086eba3c8..5bc351b6ed 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -202,7 +202,7 @@ The fully qualified domain name of your organizations internal DNS suffix where #### Wi-Fi **Applies to:** -- Windows 10, version 1803 +- Windows 10, version 1803 You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index ea07742289..ab50093288 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -34,8 +34,10 @@ The maximum number of supported enrollments on a single Windows 10 computer is 1 ## How can PIN be more secure than a Password? When using Windows Hello for Business, the PIN is not a symmetric key where is the password is a symmetric key. With passwords, there is a server that has some representation of the password. With Windows Hello for Business, the PIN is user provided entropy used to load the private key in the TPM. The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM protected key, and the TPM that generated that key to successfully have access to the private key. -The statement “PIN is stronger than Password” is not directed at the strength of the entropy used by the PIN. It is about the difference of providing entropy vs continuing the use of a symmetric key (the password). The TPM has anti-hammering features which thwart brute-force PIN attacks (an attacker continuously attempts all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increased the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. +The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It is about the difference of providing entropy vs continuing the use of a symmetric key (the password). The TPM has anti-hammering features which thwart brute-force PIN attacks (an attacker continuously attempts all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increased the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. +## Why can I not see the Key Admins group, I have Windows Server 2016 domain controller(s)> +The **Key Admins** and **Enterprise Key Admins** groups are created when in install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016. ## Can I use conveneince PIN with Azure AD? No. If you want to use PIN or biometrics with Azure Active Directory identities on Azure AD registered, Azure AD joined, or hybrid Azure AD joined devices, then you must deploy Windows Hello for Business. @@ -73,7 +75,16 @@ If your environment uses Microsoft Intune, you need these additional URLs: - portal.manage-beta.microsoft.com - portal.manage.microsoft.com +## What is the difference between non-destructive and destructive PIN Reset? +Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provided a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user does not delete the current credential and obtain a new one. Read [PIN Reset](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-features#pin-reset) from our [Windows Hello for Business Features](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-features.md) page for more information. +Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. +## Which is better or more secure: Key trust or Certificate trust? +The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware backed, two-factor credential. The difference between the two trust types are: +- Required domain controllers +- Issuing end entity certificates +The **key trust** model authenticates to Active Directory using a raw key. Windows Server 2016 domain controllers enables this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you do not need to issue certificates to your end users (domain controller certificates are still needed). +The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority. ## Do I need Windows Server 2016 domain controllers? diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index 8f01d3e8f3..a4c4df89e6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -32,11 +32,11 @@ Consider these additional features you can use after your organization deploys W * Hybrid Windows Hello for Business deployment -In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS apps, IT professionals are faced with two opposing goals:+ +In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals:+ * Empower the end users to be productive wherever and whenever * Protect the corporate assets at any time -To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain apps even for the right people? For example, it might be OK for you if the right people are accessing certain apps from a trusted network; however, you might not want them to access these apps from a network you don't trust. You can address these questions using conditional access. +To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access. Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access. @@ -45,7 +45,7 @@ Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/e **Requirements:** * Windows 10, version 1703 -Dynamic lock enables you to configure Windows 10 devices to automatically lock when bluetooth paired device signal falls below the maximum Recieved Signal Stregnth Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Busines**. The name of the policy is **Configure dynamic lock factors**. +Dynamic lock enables you to configure Windows 10 devices to automatically lock when bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Busines**. The name of the policy is **Configure dynamic lock factors**. The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: @@ -81,7 +81,7 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw ## PIN reset **Applies to:** -- Windows 10, version 1709 or later +- Windows 10, version 1709 or later ### Hybrid Deployments @@ -90,10 +90,13 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw - Azure Active Directory - Hybrid Windows Hello for Business deployment - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined -- Windows 10, version 1709 or later, **Enterprise Edition** +- Windows 10, version 1709 or later, **Enterprise Edition** The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. +>[!IMPORTANT +> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**. The feature does not work with the **Pro** edition.] + #### Onboarding the Microsoft PIN reset service to your Intune tenant Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage. @@ -162,7 +165,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e 4. When finished, unlock your desktop using your newly created PIN. >[!NOTE] -> Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video. +> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgoteen PIN user experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. ## Dual Enrollment @@ -171,8 +174,11 @@ On-premises deployments provide users with the ability to reset forgotten PINs e * Domain Joined or Hybrid Azure joined devices * Windows 10, version 1709 +> [!NOTE] +> This feature was previously known as **Priviliged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature. + > [!IMPORTANT] -> Dual enrollment not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Busines dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information. +> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Busines dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information. Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device. @@ -183,10 +189,37 @@ With this setting, administrative users can sign-in to Windows 10, version 1709 > [!IMPORTANT] > You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privleged or non-privleged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation. -### Configuring Dual Enrollment using Group Policy -You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object. +### Configure Windows Hello for Business Dual Enroll +In this task you will +- Configure Active Directory to support Domain Administrator enrollment +- Configure Dual Enrollment using Group Policy -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to Active Directory computer accounts used by privileged users. +#### Configure Active Directory to support Domain Admin enrollment +The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. + +Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute. + +Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. + +1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
+```dsacls "CN=AdminSDHolder,CN=System,**DC=domain,DC=com**" /g "**[domainName\keyAdminGroup]**":RPWP,msDS-KeyCredentialLink```
+where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
+```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net /g "mstepdemo\Key Admins":RPWP,msDS-KeyCredentialLink``` +2. To trigger security descriptor propagation, open **ldp.exe**. +3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**. +4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user. +5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**. +6. Click **Run** to start the task. +7. Close LDP. + +#### Configuring Dual Enrollment using Group Policy +You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object. + +1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users. 2. Edit the Group Policy object from step 1. 3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**. -4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. \ No newline at end of file +4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. +5. Restart computers targeted by this Group Policy object. + +The computer is ready for dual enrollment. Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users. + diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 430a2f62c3..d8c9d3b752 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -24,13 +24,13 @@ If you plan to use certificates for on-premises single-sign on, then follow thes > Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. Steps you will perform include: -- Prepare Azure AD Connect -- Prepare the Network Device Enrollment Services Service Account -- Prepare Active Directory Certificate Services -- Install the Network Device Enrollment Services Role -- Configure Network Device Enrollment Services to work with Microsoft Intune -- Install and Configure the Intune Certificate Connector -- Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile +- [Prepare Azure AD Connect](#prepare-azure-ad-connect) +- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) +- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority) +- [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role) +- [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune) +- [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector) +- [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile) ## Requirements You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on. @@ -648,7 +648,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > [!IMPORTANT] > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. -10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP) list. +10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. 11. Select **Custom** from the **Subject name format** list. 12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. @@ -657,7 +657,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 15. Under **Extended key usage**, type **Smart Card Logon** under **Name. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) -17. Under *SCEP Server URLs*, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile. +17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile. 18. Click **OK**. 19. Click **Create**. @@ -675,6 +675,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 7. Select the **AADJ WHFB Certificate Users** group. Click **Select**. 8. Click **Save**. +You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources. ## Section Review > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 7e88ae0635..685a7b6ae4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,5 +1,5 @@ --- -title: Single-sign on using Windows Hello for Business on Azure Active Directory joined devices +title: Azure AD Join Single Sign-on Deployment Guides description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: w10 @@ -11,7 +11,7 @@ ms.author: mstephen localizationpriority: high ms.date: 05/05/2018 --- -# Single-sign on using Windows Hello for Business on Azure Active Directory joined devices +# Azure AD Join Single Sign-on Deployment Guides **Applies to** - Windows 10 @@ -28,6 +28,18 @@ When using a key, the on-premises environment needs an adequate distribution of When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. - +To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md). +To deploy single sign-on for Azure AD joined devices using, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md). + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index c35ff57a68..8f3d85f42b 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -33,6 +33,9 @@ #### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) #### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) #### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) +### [Azure AD Join Single Sign-on Deployment Guides](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md) +#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md) +#### [Using Certificates for AADJ On-premises Single-sign On](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md) ### [On Premises Key Trust Deployment](hello-deployment-key-trust.md) #### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)