deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update Windows Hello for Business deployment documentation

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-12-29 11:36:30 -05:00
parent a980e252a2
commit 826e568822
10 changed files with 60 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
View File

@ -5,7 +5,7 @@ ms.date: 12/15/2023
ms.topic: tutorial
---
# Configure Active Directory Federation Services - hybrid certificate trust
# Configure Active Directory Federation Services in a hybrid certificate trust model
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]

131
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
View File

@ -5,7 +5,7 @@ ms.date: 12/15/2023
ms.topic: tutorial
---
# Configure and provision Windows Hello for Business - hybrid certificate trust
# Configure and provision Windows Hello for Business in hybrid certificate trust model
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
@ -15,25 +15,10 @@ After the prerequisites are met and the PKI and AD FS configurations are validat
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
> [!IMPORTANT]
> The information in this section applies to Microsoft Entra hybrid joined devices only.
[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business.
It is suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign the **Group Policy** and **Certificate template permissions** to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
### Enable Windows Hello for Business group policy setting
The *Enable Windows Hello for Business* group policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to **enabled**.\
You can configure the *Enable Windows Hello for Business* setting for computer or users:
- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment
- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment
If both user and computer policy settings are deployed, the user policy setting has precedence.
### Use certificate for on-premises authentication group policy setting
The *Use certificate for on-premises authentication* group policy setting determines if the deployment uses the *key-trust* or *certificate trust* authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust authentication.
> [!TIP]
> Use the same *Windows Hello for Business Users* security group to assign **Certificate template permissions** to ensure the same members can enroll in the Windows Hello for Business authentication certificate.
### Enable automatic enrollment of certificates group policy setting
@ -41,56 +26,24 @@ Windows Hello for Business provisioning performs the initial enrollment of the W
The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
### Enable and configure Windows Hello for Business with group policy
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
1. Expand the domain and select the **Group Policy Object** node in the navigation pane
1. Right-click **Group Policy object** and select **New**
1. Type *Enable Windows Hello for Business* in the name box and select **OK**
1. In the content pane, right-click the **Enable Windows Hello for Business** group policy object and select **Edit**
1. In the navigation pane, expand **Policies** under **User Configuration**
1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**
1. In the content pane, open **Use Windows Hello for Business**. Select **Enable > OK**
1. Open **Use certificate for on-premises authentication**. Select **Enable > OK**
1. Expand **Windows Settings > Security Settings > Public Key Policies**
1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**
1. Select **Enabled** from the **Configuration Model** list
1. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check boxes
1. Select the **Update certificates that use certificate templates** check box
1. Select **OK**
1. Close the **Group Policy Management Editor**
| Group policy path | Group policy setting | Value |
| - | - | - |
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**<br>or<br> **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**<br>or<br> **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use certificate for on-premises authentication| **Enabled**|
| **Computer Configuration\Windows Settings\Security Settings\Public Key Policies**<br>or<br> **User Configuration\Windows Settings\Security Settings\Public Key Policies** |Certificate Services Client - Auto-Enrollment| - Select **Enabled** from the **Configuration Model**<br>- Select the **Renew expired certificates, update pending certificates, and remove revoked certificates**<br>- Select **Update certificates that use certificate templates**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
> [!NOTE]
> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
>
> For more information about these policies, see [Windows Hello for Business policy settings](../policy-settings.md).
> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
### Configure security for GPO
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout.
> [!TIP]
> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
1. Start the **Group Policy Management Console** (gpmc.msc)
1. Expand the domain and select the **Group Policy Object** node in the navigation pane
1. Open the **Enable Windows Hello for Business** GPO
1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK**
1. Select the **Delegation** tab. Select **Authenticated Users > Advanced**
1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
### Deploy the Windows Hello for Business Group Policy object
The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
1. Start the **Group Policy Management Console** (gpmc.msc)
1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
### Add members to the targeted group
Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
## Configure Windows Hello for Business using Microsoft Intune
@ -100,53 +53,29 @@ Users (or devices) must receive the Windows Hello for Business group policy sett
> - [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
> - [Using Certificates for AADJ On-premises Single-sign On](../hello-hybrid-aadj-sso-cert.md)
For Microsoft Entra joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
There are different ways to enable and configure Windows Hello for Business in Intune:
If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to enable Windows Hello for Business a policy using an *settings catalog* policy.
- Using a policy applied at the tenant level. The tenant policy:
- Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
- It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Choose from the following policy types:
- [Settings catalog][MEM-1]
- [Security baselines][MEM-2]
- [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
- [Account protection policy][MEM-5]
- [Identity protection policy template][MEM-6]
[!INCLUDE [intune-settings-catalog-enable-whfb](includes/intune-settings-catalog-enable-whfb.md)]
### Verify the tenant-wide policy
### Configure the certificate trust policy
To check the Windows Hello for Business policy applied at enrollment time:
[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
| Category | Setting name | Value |
|--|--|--|
| **Windows Hello for Business** | Use Certificate For On Prem Auth | Enabled |
:::image type="content" source="images/whfb-intune-disable.png" alt-text="Screenshot that shows disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
Alternatively, you can configure devices using a [custom policy][MEM-3] with the [PassportForWork CSP][CSP-1].
### Enable and configure Windows Hello for Business
| Setting |
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth`<br>- **Data type:** `bool`<br>- **Value:** `True`|
To configure Windows Hello for Business using an *account protection* policy:
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Endpoint security** > **Account protection**
1. Select **+ Create Policy**
1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
1. Select **Create**
1. Specify a **Name** and, optionally, a **Description** > **Next**
1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
- For more information about these policies, see [Windows Hello for Business policy settings](../policy-settings.md)
1. Under *Enable to certificate for on-premises resources*, select **YES**
1. Select **Next**
1. Optionally, add *scope tags* > **Next**
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Screenshot that shows enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
For more information about the certificate trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-certificate-for-on-premises-authentication).
---

1
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
View File

@ -4,6 +4,7 @@ description: Configure and validate the Public Key Infrastructure when deploying
ms.date: 12/18/2023
ms.topic: tutorial
---
# Configure and validate the PKI in a hybrid certificate trust model
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]

14
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
View File

@ -22,6 +22,16 @@ ms.topic: tutorial
> - [Licensing for cloud services](index.md#licensing-for-cloud-services)
> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
## Deployment steps
> [!div class="checklist"]
> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
>
> - [Configure and validate the Public Key Infrastructure](hybrid-cert-trust-pki.md)
> - [Configure Active Directory Federation Services](hybrid-cert-trust-adfs.md)
> - [Configure and enroll in Windows Hello for Business](hybrid-cert-trust-enroll.md)
> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
## Federated authentication to Microsoft Entra ID
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices.
@ -74,14 +84,10 @@ During Windows Hello for Business provisioning, users receive a sign-in certific
> [Next: configure and validate the Public Key Infrastructure >](hybrid-cert-trust-pki.md)
<!--links-->
[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication
[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
[AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains
[AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual
[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
[SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
[SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts
[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2

11
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -19,6 +19,8 @@ ms.topic: tutorial
> - [Windows Server requirements](index.md#windows-server-requirements)
> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
## Deployment steps
> [!div class="checklist"]
@ -53,13 +55,11 @@ For more information about how Microsoft Entra Kerberos works with Windows Hello
>
> Due to possible attack vectors from Microsoft Entra ID to Active Directory, it's not recommended to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>`.
When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
## Configure Windows Hello for Business policy settings
After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
@ -104,7 +104,7 @@ You can also create a Group Policy Central Store and copy them their respective
| Group policy path | Group policy setting | Value |
| - | - | - |
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**<br>or<br> **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use cloud Kerberos trust for on-premises authentication| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
@ -118,6 +118,9 @@ You can also create a Group Policy Central Store and copy them their respective
---
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../../configure.md#policy-conflicts-from-multiple-policy-sources)
Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
> [!IMPORTANT]

13
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
View File

@ -1,17 +1,17 @@
---
title: Windows Hello for Business hybrid key trust clients configuration and enrollment
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
ms.date: 01/03/2023
ms.date: 12/29/2023
ms.topic: tutorial
---
# Configure and enroll in Windows Hello for Business - hybrid key trust
# Configure and enroll in Windows Hello for Business in a hybrid key trust model
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
@ -23,13 +23,11 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
### Configure the Windows Hello for Business with group policy
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
| Group policy path | Group policy setting | Value |
| - | - | - |
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**<br>or<br> **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
> [!NOTE]
@ -42,6 +40,9 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
---
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../../configure.md#policy-conflicts-from-multiple-policy-sources)
Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
## Enroll in Windows Hello for Business

BIN
windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 242 KiB

3
windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md
View File

@ -15,6 +15,3 @@ You can configure the *Enable Windows Hello for Business* setting for computer o
- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment
If both user and computer policy settings are deployed, the user policy setting has precedence.
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../../configure.md#policy-conflicts-from-multiple-policy-sources)

4
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -47,7 +47,7 @@ It's fundamentally important to understand which deployment model to use for a s
There are three deployment models from which you can choose:
| | Deployment model | Description |
| :ballot_box_with_check: | Deployment model | Description |
|--|--|--|
| :black_square_button: | **Cloud-only** |For organizations that only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint Online, OneDrive, and others. Also, since the users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in cloud services|
| :black_square_button: | **Hybrid** |For organizations that have identities synchronized from Active Directory to Microsoft Entra ID. These organizations use applications registered in Microsoft Entra ID, and want a single sign-on (SSO) experience for both on-premises and Microsoft Entra resources|
@ -68,7 +68,7 @@ The deployment of certificates to users and Domain Controllers requires more con
There are three trust types from which you can choose:
| | Trust type | Description |
| :ballot_box_with_check: | Trust type | Description |
|--|--|--|
| :black_square_button: | **Cloud Kerberos trust**| Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. Cloud Kerberos trust uses the same infrastructure required for FIDO2 security key sign-in, and it can be used for new or existing Windows Hello for Business deployments. |
| :black_square_button: | **Key trust**| Users authenticate to the on-premises Active Directory using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. It requires to distribute certificates to domain controllers. |

4
windows/security/identity-protection/hello-for-business/deploy/toc.yml
View File

@ -12,7 +12,7 @@ items:
- name: Requirements and validation
href: hybrid-key-trust.md
displayName: key trust
- name: Configure and provision Windows Hello for Business
- name: Configure and enroll in Windows Hello for Business
href: hybrid-key-trust-enroll.md
displayName: key trust
- name: Configure SSO for Microsoft Entra joined devices
@ -20,7 +20,7 @@ items:
displayName: key trust
- name: Certificate trust deployment
items:
- name: Requirements and validation
- name: Overview
href: hybrid-cert-trust.md
displayName: certificate trust
- name: Configure and validate Public Key Infrastructure (PKI)