deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update Windows Hello for Business deployment links

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-12-28 13:12:44 -05:00
parent 64d8fff966
commit 802b9db7fa
8 changed files with 82 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/identity-protection/hello-for-business/deploy/cloud.md → windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
View File

@ -10,14 +10,16 @@ ms.topic: how-to
[!INCLUDE [requirements](includes/requirements.md)] [!INCLUDE [requirements](includes/requirements.md)]
1. Authentication to Microsoft Entra ID > [!div class="checklist"]
1. Multifactor authentication >
1. Device configuration > - [Authentication](index.md#authentication)
1. Licensing for cloud services > - [Device configuration](index.md#device-configuration)
> - [Licensing for cloud services](index.md#licensing-for-cloud-services)
> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
## Introduction ## Introduction
When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business, by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed. When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business, by default. If you want to use Windows Hello for Business in a cloud-only environment with its default settings, there's no additional configuration needed.
If you want to disable the automatic Windows Hello for Business enrollment prompt, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business]([Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment). If you want to disable the automatic Windows Hello for Business enrollment prompt, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business]([Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment).

8
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
View File

@ -14,6 +14,14 @@ ms.topic: tutorial
[!INCLUDE [requirements](includes/requirements.md)] [!INCLUDE [requirements](includes/requirements.md)]
> [!div class="checklist"]
>
> - [Public Key Infrastructure](index.md#public-key-infrastructure-pki)
> - [Authentication](index.md#authentication)
> - [Device configuration](index.md#device-configuration)
> - [Licensing for cloud services](index.md#licensing-for-cloud-services)
> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
### Federated authentication to Microsoft Entra ID ### Federated authentication to Microsoft Entra ID
Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\ Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\

28
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -11,29 +11,21 @@ ms.topic: tutorial
[!INCLUDE [requirements](includes/requirements.md)] [!INCLUDE [requirements](includes/requirements.md)]
1. Deployment options > [!div class="checklist"]
1. Deploment models >
1. Trust types > - [Authentication](index.md#authentication)
1. Authentication > - [Device configuration](index.md#device-configuration)
1. Device registration > - [Windows requirements](index.md#windows-requirements)
1. Key registration > - [Windows Server requirements](index.md#windows-server-requirements)
1. Directory synchronization > - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
1. Multifactor authentication
1. Device configuration
1. Public Key Infrastructure
1. Licensing for cloud services
1. Windows requirements
1. Windows Server requirements
## Deployment steps ## Deployment steps
Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
> [!div class="checklist"] - Deploy Microsoft Entra Kerberos
> - Configure Windows Hello for Business settings
> - Deploy Microsoft Entra Kerberos - Provision Windows Hello for Business on Windows clients
> - Configure Windows Hello for Business settings
> - Provision Windows Hello for Business on Windows clients
## Deploy Microsoft Entra Kerberos ## Deploy Microsoft Entra Kerberos

7
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
View File

@ -14,6 +14,13 @@ ms.topic: tutorial
[!INCLUDE [requirements](includes/requirements.md)] [!INCLUDE [requirements](includes/requirements.md)]
> [!div class="checklist"]
>
> - [Public Key Infrastructure](index.md#public-key-infrastructure-pki)
> - [Authentication](index.md#authentication)
> - [Device configuration](index.md#device-configuration)
> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
## Next steps ## Next steps
> [!div class="checklist"] > [!div class="checklist"]

81
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -18,44 +18,40 @@ This guide explains the role of each component within Windows Hello for Business
There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex. However, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex. However, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment.
### How to proceed ### How to proceed
Read this document and record your decisions. When finished, you should have all the necessary information to evaluate the available options and to determine requirements for your Windows Hello for Business deployment. Read this document and record your decisions. When finished, you should have all the necessary information to evaluate the available options and to determine requirements for your Windows Hello for Business deployment.
There are 8 major categories to consider when planning a Windows Hello for Business deployment: There are eight major categories to consider when planning a Windows Hello for Business deployment:
1. Deployment options > [!div class="checklist"]
1. Deploment models >
1. Trust types > - [Deployment options](#deployment-options)
1. Authentication > - [Public Key Infrastructure](#public-key-infrastructure-pki)
1. Device registration > - [Authentication](#authentication)
1. Key registration > - [Device configuration](#device-configuration)
1. Directory synchronization > - [Licensing for cloud services](#licensing-for-cloud-services)
1. Multifactor authentication > - [Windows requirements](#windows-requirements)
1. Device configuration > - [Windows Server requirements](#windows-server-requirements)
1. Public Key Infrastructure > - [Prepare users to use Windows Hello](#prepare-users-to-use-windows-hello)
1. Licensing for cloud services
1. Windows requirements
1. Windows Server requirements
1. Prepare users to use Windows Hello
## Deployment Options ## Deployment options
The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options. The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options.
### Deployment models ### Deployment models
It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment might have already been decided for you based on your current infrastructure.
There are three deployment models from which you can choose: There are three deployment models from which you can choose:
| | Deployment model | Description | | | Deployment model | Description |
|--|--|--| |--|--|--|
| :black_square_button: | **Cloud-only** |For organizations that only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint Online, OneDrive, and others. Also, since the users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in cloud services| | :black_square_button: | **Cloud-only** |For organizations that only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint Online, OneDrive, and others. Also, since the users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in cloud services|
| :black_square_button: | **Hybrid** |For organizations that have identities synchronized from Active Directory to Microsoft Entra ID. These organizations use applications registered in Microsoft Entra ID, and want a sinlge sign-on (SSO) experience for both on-premises and Microsoft Entra resources| | :black_square_button: | **Hybrid** |For organizations that have identities synchronized from Active Directory to Microsoft Entra ID. These organizations use applications registered in Microsoft Entra ID, and want a single sign-on (SSO) experience for both on-premises and Microsoft Entra resources|
| :black_square_button: | **On-premises** |For organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. These organizations use on-premises applications, integrated in Active Directory, and want a SSO user experiences when accessing them.| | :black_square_button: | **On-premises** |For organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. These organizations use on-premises applications, integrated in Active Directory, and want an SSO user experiences when accessing them.|
>[!NOTE] >[!NOTE]
> >
@ -68,19 +64,19 @@ A deployment's trust type defines how Windows Hello for Business clients **authe
The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other. The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other.
The deployment of certificates to users and Domain Controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect. The deployment of certificates to users and Domain Controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect.
There are three trust types from which you can choose: There are three trust types from which you can choose:
| | Trust type | Description | | | Trust type | Description |
|--|--|--| |--|--|--|
| :black_square_button: | **Cloud Kerberos trust**| Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. Cloud Kerberos trust uses the same infrastructure required for FIDO2 security key sign-in, and it can be used for new or existing Windows Hello for Business deployments. | | :black_square_button: | **Cloud Kerberos trust**| Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. Cloud Kerberos trust uses the same infrastructure required for FIDO2 security key sign-in, and it can be used for new or existing Windows Hello for Business deployments. |
| :black_square_button: | **Key trust**| Users authenticate to the on-premises Active Directory using a device-bound key (hardware or sofware) created during the Windows Hello provisioning experience. It requires to distribute certificates to domain controllers. | | :black_square_button: | **Key trust**| Users authenticate to the on-premises Active Directory using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. It requires to distribute certificates to domain controllers. |
| :black_square_button: | **Certificate trust**| The certificate trust type issues authentication certificates to users. Users authenticate using a certificate requested using a device-bound key (hardware or sofware) created during the Windows Hello provisioning experience. | | :black_square_button: | **Certificate trust**| The certificate trust type issues authentication certificates to users. Users authenticate using a certificate requested using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. |
*Key trust* and *certificate trust* use certificate authentication-based Kerberos when requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. *Key trust* and *certificate trust* use certificate authentication-based Kerberos when requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
The goal of Windows Hello for Business cloud Kerberos trust is to provide a simple deployment experience: The goal of Windows Hello for Business cloud Kerberos trust is to provide a simpler deployment experience, when compared to the other trust types:
- No need to deploy a public key infrastructure (PKI) or to change an existing PKI - No need to deploy a public key infrastructure (PKI) or to change an existing PKI
- No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory - No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
@ -93,7 +89,7 @@ Cloud Kerberos trust requires the deployment of Microsoft Entra Kerberos. For mo
## Public Key Infrastructure (PKI) ## Public Key Infrastructure (PKI)
While cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates, the other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication: Cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates. The other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication:
- Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate - Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate
- Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA - Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA
@ -111,12 +107,12 @@ For cloud-only and hybrid deployments, users and devices must authenticate to Mi
For on-premises deployments, the identity provider is the on-premises server running the Active Directory Federation Services (AD FS) role. For on-premises deployments, the identity provider is the on-premises server running the Active Directory Federation Services (AD FS) role.
Here's a list of requirements for federated and non-federated deployments. Here's a list of requirements for federated and nonfederated deployments.
| Deployment model | Authentication options | | Deployment model | Authentication options |
|--|--| |--|--|
| **Cloud-only** | :black_square_button: **Non-federated**<br> :black_square_button: **Federated**: federated authentication requires a third-party federation service. | | **Cloud-only** | :black_square_button: **Non-federated**<br> :black_square_button: **Federated**: federated authentication requires a third-party federation service |
| **Hybrid** | :black_square_button: **Non-federated**:<br>&emsp; :black_square_button: **Key trust** requires [Password hash synchronization (PHS)][ENTRA-6] or [Microsoft Entra pass-through authentication (PTA)][ENTRA-7]<br><br> :black_square_button: **Federated**: federated authentication requires AD FS or a third-party federation service<br>&emsp; :black_square_button: **Certificate trust** doesn't support [PTA][ENTRA-7] or [(PHS)][ENTRA-6]. Active Directory must be federated with Microsoft Entra ID using AD FS. Additionally, you must configure your AD FS farm to support Microsoft Entra registered devices | | **Hybrid** | :black_square_button: **Non-federated**:<br>&emsp; :black_square_button: **Key trust** requires [Password hash synchronization (PHS)][ENTRA-6] or [Microsoft Entra pass-through authentication (PTA)][ENTRA-7]<br><br> :black_square_button: **Federated**: federated authentication requires AD FS or a third-party federation service<br>&emsp; :black_square_button: **Certificate trust** doesn't support [PTA][ENTRA-7] or [PHS][ENTRA-6]. Active Directory must be federated with Microsoft Entra ID using AD FS. Additionally, you must configure your AD FS farm to support Microsoft Entra registered devices |
| **On-premises** | AD FS | | **On-premises** | AD FS |
### Device registration ### Device registration
@ -160,11 +156,11 @@ Hybrid and on-premises deployments use directory synchronization, however, each
The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential: The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential:
- For cloud-only and hybrid deployments, ther are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1] - For cloud-only and hybrid deployments, there are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1]
- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more infomration, see [Microsoft and third-party additional authentication methods][SER-2] - On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more information, see [Microsoft and third-party additional authentication methods][SER-2]
> [!IMPORTANT] > [!IMPORTANT]
> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. See [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2] for more details. > As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2].
| Deployment model | MFA options | | Deployment model | MFA options |
|-|-| |-|-|
@ -210,7 +206,7 @@ Here are some considerations regarding licensing requirements for cloud services
- Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do - Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do
- Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported third-party MDM - Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported third-party MDM
- You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication for the Windows passwordless features - You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication for the Windows passwordless features
- Some Microsoft Entra multifactor authentication features require a license. For more details, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing). - Some Microsoft Entra multifactor authentication features require a license. For more information, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing).
- Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature - Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature
| Deployment model | Cloud services licenses (minimum) | | Deployment model | Cloud services licenses (minimum) |
@ -265,32 +261,13 @@ Now that you've read about the different deployment options and requirements, yo
> [!div class="op_multi_selector" title1="Deployment model:" title2="Trust type:"] > [!div class="op_multi_selector" title1="Deployment model:" title2="Trust type:"]
> To learn more about the deployment process, chose a deployment model and trust type from the following drop-down lists: > To learn more about the deployment process, chose a deployment model and trust type from the following drop-down lists:
> >
> - [(cloud-only|Microsoft Entra ID)](cloud.md) > - [(cloud-only|Microsoft Entra ID)](cloud-only.md)
> - [(hybrid | cloud Kerberos trust)](hybrid-cloud-kerberos-trust.md) > - [(hybrid | cloud Kerberos trust)](hybrid-cloud-kerberos-trust.md)
> - [(hybrid | key trust)](hybrid-key-trust.md) > - [(hybrid | key trust)](hybrid-key-trust.md)
> - [(hybrid | certificate trust)](hybrid-cert-trust.md) > - [(hybrid | certificate trust)](hybrid-cert-trust.md)
> - [(on-premises | key trust)](on-premises-key-trust.md) > - [(on-premises | key trust)](on-premises-key-trust.md)
> - [(on-premises | certificate trust)](on-premises-cert-trust.md) > - [(on-premises | certificate trust)](on-premises-cert-trust.md)
<!--
## On devices owned by the organization
When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
## On personal devices
People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials.
People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
-->
<!--links--> <!--links-->
[ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks [ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks

10
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
View File

@ -9,6 +9,16 @@ ms.topic: tutorial
[!INCLUDE [requirements](includes/requirements.md)] [!INCLUDE [requirements](includes/requirements.md)]
> [!div class="checklist"]
>
> - [Public Key Infrastructure](index.md#public-key-infrastructure-pki)
> - [Authentication](index.md#authentication)
> - [Device configuration](index.md#device-configuration)
> - [Licensing for cloud services](index.md#licensing-for-cloud-services)
> - [Windows requirements](index.md#windows-requirements)
> - [Windows Server requirements](index.md#windows-server-requirements)
> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
## Deployment steps ## Deployment steps
Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:

10
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
View File

@ -11,6 +11,16 @@ ms.topic: tutorial
[!INCLUDE [requirements](includes/requirements.md)] [!INCLUDE [requirements](includes/requirements.md)]
> [!div class="checklist"]
>
> - [Public Key Infrastructure](index.md#public-key-infrastructure-pki)
> - [Authentication](index.md#authentication)
> - [Device configuration](index.md#device-configuration)
> - [Licensing for cloud services](index.md#licensing-for-cloud-services)
> - [Windows requirements](index.md#windows-requirements)
> - [Windows Server requirements](index.md#windows-server-requirements)
> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
## Deployment steps ## Deployment steps
Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:

2
windows/security/identity-protection/hello-for-business/deploy/toc.yml
View File

@ -2,7 +2,7 @@ items:
- name: Plan a Windows Hello for Business Deployment - name: Plan a Windows Hello for Business Deployment
href: index.md href: index.md
- name: Cloud-only deployment - name: Cloud-only deployment
href: cloud.md href: cloud-only.md
- name: Hybrid deployments - name: Hybrid deployments
items: items:
- name: Cloud Kerberos trust deployment - name: Cloud Kerberos trust deployment