From 7f03c674a2fe1a61d8f858198c73a7c321b00122 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 16 Sep 2021 11:34:22 +0530 Subject: [PATCH] Build issue- fixes as per comments Fixed the formatting issues in hello-hybrid-cert-trust-devreg.md and added valid code-blocks to the file. --- .../hello-hybrid-aadj-sso-base.md | 7 +- .../hello-hybrid-aadj-sso-cert.md | 4 +- .../hello-hybrid-cert-trust-devreg.md | 127 +++++++++--------- .../hello-hybrid-cert-whfb-provision.md | 2 +- .../hello-hybrid-cert-whfb-settings-pki.md | 2 +- 5 files changed, 74 insertions(+), 68 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index f8b221e861..86d9a96b10 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -213,8 +213,8 @@ The web server is ready to host the CRL distribution point. Now, configure the 4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash). 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. -7. Select the CDP you just created. - ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) +7. Select the CDP you just created.
+![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. 10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box. @@ -262,7 +262,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) - ## Configure and Assign a Trusted Certificate Device Configuration Profile Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails. @@ -282,7 +281,7 @@ Steps you will perform include: ![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png) 6. In the **Certificate Export Wizard**, click **Next**. 7. On the **Export File Format** page of the wizard, click **Next**. -8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box. +8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
![Export root certificate.](images/aadj/certlm-export-root-certificate.png) 9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 6cca936be0..61eb44f8f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -323,7 +323,7 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 3. Select **Trust this user for delegation to specified services only**. 4. Select **Use any authentication protocol**. 5. Click **Add**. -6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. +6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**. ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. @@ -509,7 +509,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. -A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. +A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source. ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 387a5f1ded..07738c4e4a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -24,7 +24,6 @@ ms.reviewer: - Hybrid deployment - Certificate trust - Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] @@ -34,15 +33,17 @@ Your environment is federated and you are ready to configure device registration >Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration. Use this three-phased approach for configuring device registration. + 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) > [!NOTE] > Before proceeding, you should familiarize yourself with device registration concepts such as: -> * Azure AD registered devices -> * Azure AD joined devices -> * Hybrid Azure AD joined devices +> +> - Azure AD registered devices +> - Azure AD joined devices +> - Hybrid Azure AD joined devices > > You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction) @@ -50,7 +51,8 @@ Use this three-phased approach for configuring device registration. > To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594). ## Configure Azure for Device Registration -Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. + +Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal) @@ -60,7 +62,7 @@ Azure Active Directory is now configured for device registration. Next, you need ### Upgrading Active Directory to the Windows Server 2016 or later Schema -To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. +To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. > [!IMPORTANT] > If you already have a Windows Server 2016 or later domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 or later Schema** (this section). @@ -83,110 +85,107 @@ Manually updating Active Directory uses the command-line utility **adprep.exe** Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. > [!NOTE] > If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured. - ### Setup Active Directory Federation Services + If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. Once you have your AD FS design ready, review [Deploying a Federation Server farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. > [!IMPORTANT] -> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. +> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) #### ADFS Web Proxy ### + Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. ### Deploy Azure AD Connect + Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771). When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. -### Create AD objects for AD FS Device Authentication -If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. +### Create AD objects for AD FS Device Authentication +If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. ![Device Registration: AD FS](images/hybridct/device1.png) > [!NOTE] > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. -1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. - -![Device Registration: Overview](images/hybridct/device2.png) - +1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. + ![Device Registration: Overview](images/hybridct/device2.png) 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: - `Import-module activedirectory` `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName ""` 3. On the pop-up window click **Yes**. -> [!NOTE] -> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" + > [!NOTE] + > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" -![Device Registration: Domain](images/hybridct/device3.png) + ![Device Registration: Domain](images/hybridct/device3.png) + The above PSH creates the following objects: -The above PSH creates the following objects: - -- RegisteredDevices container under the AD domain partition -- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration -- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration - -![Device Registration: Tests](images/hybridct/device4.png) + - RegisteredDevices container under the AD domain partition + - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration + - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration + ![Device Registration: Tests](images/hybridct/device4.png)
4. Once this is done, you will see a successful completion message. -![Device Registration: Completion](images/hybridct/device5.png) + ![Device Registration: Completion](images/hybridct/device5.png) ### Create Service Connection Point (SCP) in Active Directory If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS -1. Open Windows PowerShell and execute the following: + +1. Open Windows PowerShell and execute the following: `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"` -> [!NOTE] -> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep - -![Device Registration AdPrep](images/hybridct/device6.png) + > [!NOTE] + > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep + ![Device Registration AdPrep](images/hybridct/device6.png) 2. Provide your Azure AD global administrator credentials - `PS C:>$aadAdminCred = Get-Credential` - -![Device Registration: Credential](images/hybridct/device7.png) + `PS C:>$aadAdminCred = Get-Credential` + ![Device Registration: Credential](images/hybridct/device7.png) 3. Run the following PowerShell command `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred` -Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. + Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. The above commands enable Windows clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. ### Prepare AD for Device Write Back To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following. -1. Open Windows PowerShell and execute the following: +1. Open Windows PowerShell and execute the following: `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name]` -Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format + Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name - RegisteredDevices container in the AD domain partition - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration -### Enable Device Write Back in Azure AD Connect +### Enable Device Write Back in Azure AD Connect + If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets ## Configure AD FS to use Azure registered devices @@ -213,17 +212,17 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints: The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. -* `http://schemas.microsoft.com/ws/2012/01/accounttype` -* `http://schemas.microsoft.com/identity/claims/onpremobjectguid` -* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` +- `http://schemas.microsoft.com/ws/2012/01/accounttype` +- `http://schemas.microsoft.com/identity/claims/onpremobjectguid` +- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` If you have more than one verified domain name, you need to provide the following claim for computers: -* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` +- `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers: -* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` +- `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` In the following sections, you find information about: @@ -239,7 +238,8 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: -``` +```powershell + @RuleName = "Issue account type for domain-joined computers" c:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -256,7 +256,8 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: -``` +```powershell + @RuleName = "Issue object GUID for domain-joined computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -280,7 +281,8 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: -``` +```powershell + @RuleName = "Issue objectSID for domain-joined computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -299,7 +301,8 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. -``` +```powershell + @RuleName = "Issue account type with the value User when it is not a computer" NOT EXISTS( @@ -355,7 +358,8 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain] **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: -``` +```powershell + @RuleName = "Issue ImmutableID for computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -379,7 +383,8 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain] The following script helps you with the creation of the issuance transform rules described above. -``` +```powershell + $multipleVerifiedDomainNames = $false $immutableIDAlreadyIssuedforUsers = $false $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains @@ -506,20 +511,21 @@ The following script helps you with the creation of the issuance transform rules - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: - -~~~ + ~~~ c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); -~~~ + ~~~ - If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. -#### Configure Device Authentication in AD FS +#### Configure Device Authentication in AD FS + Using an elevated PowerShell command window, configure AD FS policy by executing the following command `PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken` -#### Check your configuration +#### Check your configuration + For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work - object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> @@ -528,7 +534,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - Container Device Registration Service DKM under the above container -![Device Registration: Container](images/hybridct/device8.png) + ![Device Registration: Container](images/hybridct/device8.png) - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - read/write access to the specified AD connector account name on the new object @@ -542,6 +548,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
## Follow the Windows Hello for Business hybrid certificate trust deployment guide + 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index f1dc22e50f..e7082740c2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,6 +1,6 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) -description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss. +description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 1cc5c20c10..53d6fd45a0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -17,7 +17,7 @@ ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Azure AD joined Windows Hello for Busines - Public Key Infrastructure +# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure **Applies to**