updates

2025-05-13 13:57:22 +00:00 · 2022-12-12 09:41:30 -05:00 · 2022-12-12 09:41:30 -05:00 · 80e5c86d74
commit 80e5c86d74
parent 97652a4827
3 changed files with 28 additions and 33 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@ -10,7 +10,7 @@ ms.topic: tutorial
 [!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients, to ensure they are not communicating with a rogue domain controller. 
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 ## Deploy an enterprise certification authority
@ -20,7 +20,7 @@ This guide assumes most enterprises have an existing public key infrastructure.
 The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
-Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority installed.
+Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
 >[!NOTE]
 >Never install a certification authority on a domain controller in a production environment.
@ -30,7 +30,7 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
    ```PowerShell
    Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
    ```
-3. Use the following command to configure the certification authority using a basic certification authority configuration
+3. Use the following command to configure the CA using a basic certification authority configuration
    ```PowerShell
    Install-AdcsCertificationAuthority
    ```
@ -41,13 +41,13 @@ If you have an existing PKI, review [Certification Authority Guidance](/previous
 ### Configure domain controller certificates
-Clients must to trust the domain controllers, and the way to do this is to ensure each domain controller has a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the enterprise certification authority.
+Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*.
-Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certification authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template.
+Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template.
-By default, the Active Directory certification authority provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template.
+By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template.
-Sign in to a certification authority or management workstations with *Domain Admintistrator* equivalent credentials.
+Sign in to a CA or management workstations with *Domain Admintistrator* equivalent credentials.
 1. Open the **Certification Authority** management console
 1. Right-click **Certificate Templates > Manage**
@ -62,7 +62,7 @@ Sign in to a certification authority or management workstations with *Domain Adm
   > [!NOTE]
   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
 1. On the **Subject Name** tab:
-   - Select the **Build from this Active Directory information** button if it is not already selected
+   - Select the **Build from this Active Directory information** button if it isn't already selected
   - Select **None** from the **Subject name format** list
   - Select **DNS name** from the **Include this information in alternate subject** list
   - Clear all other items
@ -79,9 +79,9 @@ Sign in to a certification authority or management workstations with *Domain Adm
 The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension. 
 The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\
-The *autoenrollment* feature allows to easily replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template.
+The *autoenrollment* feature allows to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template.
-Sign in to a certification authority or management workstations with *Enterprise Administrator* equivalent credentials.
+Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials.
 1. Open the **Certification Authority** management console
 1. Right-click **Certificate Templates > Manage**
@ -93,13 +93,13 @@ Sign in to a certification authority or management workstations with *Enterprise
 1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab
 1. Select **OK** and close the **Certificate Templates** console
-The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until the certificate template is published to one or more certificate authorities.
+The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities.
 ### Configure an internal web server certificate template
 Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate.
-Sign in to a certification authority or management workstations with *Domain Administrator* equivalent credentials.
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
 1. Open the **Certification Authority** management console
 1. Right-click **Certificate Templates** and select **Manage**
@ -114,7 +114,7 @@ Sign in to a certification authority or management workstations with *Domain Adm
   > [!NOTE]
   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
 1. On the **Request Handling** tab, select **Allow private key to be exported**
-1. On the **Subject** tab, select the **Supply in the request** button if it is not already selected
+1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected
 1. On the **Security** tab:
   - Select **Add**
   - Type **Domain Computers** in the **Enter the object names to select** box
@ -130,27 +130,22 @@ Sign in to a certification authority or management workstations with *Domain Adm
 ### Unpublish Superseded Certificate Templates
-The certification authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certification authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
 The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
-Sign in to the certification authority or management workstation with *Enterprise Administrator* equivalent credentials.
+Sign in to the CA or management workstation with *Enterprise Administrator* equivalent credentials.
-1. Open the **Certification Authority** management console.
+1. Open the **Certification Authority** management console
 1. Expand the parent node from the navigation pane > **Certificate Templates**
 1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window
 1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates
-2. Expand the parent node from the navigation pane.
+### Publish certificate templates to the CA
-3. Click **Certificate Templates** in the navigation pane.
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
-4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
 ### Publish Certificate Templates to the certification authority
 The certification authority may only issue certificates for certificate templates that are published to that certification authority. If you have more than one certification authority and you want that certification authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
 Sign in to the certification authority or management workstations with **Enterprise Admin** equivalent credentials.
 1. Open the **Certification Authority** management console
 1. Expand the parent node from the navigation pane
@ -163,7 +158,7 @@ Sign in to the certification authority or management workstations with **Enterpr
 ### Configure automatic certificate enrollment for the domain controllers
-Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* OU.
+Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU).
 1. Open the **Group Policy Management Console** (gpmc.msc)
 1. Expand the domain and select the **Group Policy Object** node in the navigation pane
@ -179,7 +174,7 @@ Domain controllers automatically request a certificate from the *Domain controll
 1. Select **OK**
 1. Close the **Group Policy Management Editor**
-### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
+### Deploy the domain controller auto certificate enrollment GPO
 Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
@ -194,7 +189,7 @@ Windows Hello for Business is a distributed system, which on the surface appears
 You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred.
-### Use the Event Logs
+### Use the event logs
 Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
@ -209,7 +204,7 @@ Certificates superseded by your new domain controller certificate generate an ar
 ### Certificate Manager
-You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager.
+You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager.
 ### Certutil.exe
--- a/windows/security/includes/hello-join-domain.md
+++ b/windows/security/includes/hello-join-domain.md
@ -5,4 +5,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
-[Domain join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md "Devices that are domain joined do not have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices")
+[domain join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md "Devices that are domain joined do not have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices")
--- a/windows/security/includes/hello-join-hybrid.md
+++ b/windows/security/includes/hello-join-hybrid.md
@ -5,4 +5,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
-[Hybrid Azure AD join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are hybrid Azure AD joined don't have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Azure AD will have single-sign on to both Active Directory and Azure AD-protected resources")
+[hybrid Azure AD join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are hybrid Azure AD joined don't have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Azure AD will have single-sign on to both Active Directory and Azure AD-protected resources")