From b2a7fc3bc9e14094df5a9113f08a0638a2ca4c91 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 13 Jul 2020 11:07:10 +0500 Subject: [PATCH 1/4] Link to deployment of PKI page As suggested by user that content is missing in the document, I have linked the page with the deployment of PKI certificate. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6360 --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 5a7e9bb20a..898d43aaaa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -76,7 +76,7 @@ The minimum required Enterprise certificate authority that can be used with Wind * The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. * The domain controller certificate must be installed in the local computer's certificate store. - +See [Step-by-step example deployment of the PKI certificates](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates). > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: From efe389ee3bf4f59a53bd47737fa6e2fc6c2ff778 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 13 Jul 2020 14:45:26 +0500 Subject: [PATCH 2/4] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 898d43aaaa..1772e4de58 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -74,7 +74,7 @@ The minimum required Enterprise certificate authority that can be used with Wind * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. -* The domain controller certificate must be installed in the local computer's certificate store. +* The domain controller certificate must be installed in the local computer's certificate store. See [Step-by-step example deployment of the PKI certificates for Configuration Manager: Windows Server 2008 certification authority](https://docs.microsoft.com/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates) for details. See [Step-by-step example deployment of the PKI certificates](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates). From d46766bceefc57e2f3024b2ba5237f36b127dc10 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 13 Jul 2020 14:45:51 +0500 Subject: [PATCH 3/4] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 1772e4de58..d595c23de0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -76,7 +76,6 @@ The minimum required Enterprise certificate authority that can be used with Wind * The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. * The domain controller certificate must be installed in the local computer's certificate store. See [Step-by-step example deployment of the PKI certificates for Configuration Manager: Windows Server 2008 certification authority](https://docs.microsoft.com/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates) for details. -See [Step-by-step example deployment of the PKI certificates](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates). > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: From 8efa046a314e4ba3cb053801f1771fdb1ebb2c23 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 30 Jul 2020 08:15:55 +0500 Subject: [PATCH 4/4] Added certificate deployment Updated certificate deployment for WHFB as suggested by @mapalko. --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d595c23de0..1ef40f8957 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -74,7 +74,7 @@ The minimum required Enterprise certificate authority that can be used with Wind * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. -* The domain controller certificate must be installed in the local computer's certificate store. See [Step-by-step example deployment of the PKI certificates for Configuration Manager: Windows Server 2008 certification authority](https://docs.microsoft.com/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates) for details. +* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki) for details. > [!IMPORTANT]