From 9365bc75a6e571b764f776cc0dedb92edbe1514b Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 30 Dec 2022 10:53:39 -0500
Subject: [PATCH] updates
---
.../hello-hybrid-aadj-sso.md | 143 +++++++++---------
.../hello-hybrid-key-trust-validate-pki.md | 3 +-
.../includes/dc-certificate-deployment.md | 2 +
.../includes/dc-certificate-template.md | 2 +-
4 files changed, 76 insertions(+), 74 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index eae27bda42..e94f7cb2e0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -116,74 +116,73 @@ These procedures configure NTFS and share permissions on the web server to allow
1. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**
1. Select **Share this folder**. Type **cdp$** in **Share name**. Select **Permissions**
-1. In the **Permissions for cdp$** dialog box, select **Add**.
-1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**, and then select **OK**.
-1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then select **Check Names**. Select **OK**.
-1. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**.
+1. In the **Permissions for cdp$** dialog box, select **Add**
+1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**, and then select **OK**
+1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then select **Check Names**. Select **OK**
+1. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**
-1. In the **Advanced Sharing** dialog box, select **OK**.
+1. In the **Advanced Sharing** dialog box, select **OK**
> [!Tip]
> Make sure that users can access **\\\Server FQDN\sharename**.
### Disable Caching
-1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
-2. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**.
-3. Select **Caching**. Select **No files or programs from the shared folder are available offline**.
+1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
+1. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**
+1. Select **Caching**. Select **No files or programs from the shared folder are available offline**
-4. Select **OK**.
+1. Select **OK**
### Configure NTFS permission for the CDP folder
-1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
-2. Right-click the **cdp** folder and select **Properties**. Select the **Security** tab.
-3. On the **Security** tab, select Edit.
-5. In the **Permissions for cdp** dialog box, select **Add**.
+1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
+1. Right-click the **cdp** folder and select **Properties**. Select the **Security** tab
+1. On the **Security** tab, select Edit
+1. In the **Permissions for cdp** dialog box, select **Add**
-6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**. Select **OK**.
-7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then select **Check Names**. Select **OK**.
-8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**.
-9. Select **Close** in the **cdp Properties** dialog box.
+1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**. Select **OK**
+1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then select **Check Names**. Select **OK**
+1. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**
+1. Select **Close** in the **cdp Properties** dialog box
-Configure the new CRL distribution point and Publishing location in the issuing certificate authority
+Configure the new CDP and publishing location in the issuing CA
-### Configure the new CRL distribution point and Publishing location in the issuing certificate authority
+The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point.
-The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point
+### Configure the CRL distribution Point
-#### Configure the CRL distribution Point
-1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
-2. In the navigation pane, right-click the name of the certificate authority and select **Properties**
-3. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, select **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, `` or `` (don't forget the trailing forward slash).
+1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certification Authority** console from **Administrative Tools**
+1. In the navigation pane, right-click the name of the certificate authority and select **Properties**
+1. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list
+1. On the **Extensions** tab, select **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, `` or `` (don't forget the trailing forward slash)
-5. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**.
-6. Type **.crl** at the end of the text in **Location**. Select **OK**.
-7. Select the CDP you just created.
+1. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**
+1. Type **.crl** at the end of the text in **Location**. Select **OK**
+1. Select the CDP you just created
-8. Select **Include in CRLs. Clients use this to find Delta CRL locations**.
-9. Select **Include in the CDP extension of issued certificates**.
-10. Select **Apply** save your selections. Select **No** when ask to restart the service.
+1. Select **Include in CRLs. Clients use this to find Delta CRL locations**
+1. Select **Include in the CDP extension of issued certificates**
+1. Select **Apply** save your selections. Select **No** when ask to restart the service
> [!NOTE]
> Optionally, you can remove unused CRL distribution points and publishing locations.
-#### Configure the CRL publishing location
+### Configure the CRL publishing location
-1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
-2. In the navigation pane, right-click the name of the certificate authority and select **Properties**
-3. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, select **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash).
-5. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**.
-6. Type **.crl** at the end of the text in **Location**. Select **OK**.
-7. Select the CDP you just created.
+1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**
+1. In the navigation pane, right-click the name of the certificate authority and select **Properties**
+1. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list
+1. On the **Extensions** tab, select **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash)
+1. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**
+1. Type **.crl** at the end of the text in **Location**. Select **OK**
+1. Select the CDP you just created
-8. Select **Publish CRLs to this location**.
-9. Select **Publish Delta CRLs to this location**.
-10. Select **Apply** save your selections. Select **Yes** when ask to restart the service. Select **OK** to close the properties dialog box.
+1. Select **Publish CRLs to this location**
+1. Select **Publish Delta CRLs to this location**
+1. Select **Apply** save your selections. Select **Yes** when ask to restart the service. Select **OK** to close the properties dialog box
@@ -192,16 +191,16 @@ The web server is ready to host the CRL distribution point. Now, configure the i
### Publish a new CRL
-1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
-2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish**
+1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**
+1. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish**
-3. In the **Publish CRL** dialog box, select **New CRL** and select **OK**.
+1. In the **Publish CRL** dialog box, select **New CRL** and select **OK**
-#### Validate CDP Publishing
+### Validate CDP Publishing
-Validate your new CRL distribution point is working.
+Validate the new CRL distribution point is working.
-1. Open a web browser. Navigate to `http://crl.[yourdomain].com/cdp`. You should see two files created from publishing your new CRL.
+1. Open a web browser. Navigate to `http://crl.[yourdomain].com/cdp`. You should see two files created from publishing the new CRL
@@ -212,29 +211,29 @@ Validate your new CRL distribution point is working.
With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point.
-1. Sign-in a domain controller using administrative credentials.
-2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+1. Sign-in a domain controller using administrative credentials
+1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer
+1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, select the existing domain controller certificate that includes **KDC Authentication** in the list of **Intended Purposes**
-4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, select **Next**.
- 
-5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Select **Enroll**.
-6. After the enrollment completes, select **Finish** to close the wizard.
-7. Repeat this procedure on all your domain controllers.
+1. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, select **Next**
+ 
+1. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Select **Enroll**
+1. After the enrollment completes, select **Finish** to close the wizard
+1. Repeat this procedure on all your domain controllers
> [!NOTE]
-> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](./hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
+> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](./hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
> [!IMPORTANT]
> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
-#### Validate CDP in the new certificate
+### Validate CDP in the new certificate
-1. Sign-in a domain controller using administrative credentials.
-2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-4. Select the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**.
-5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**.
+1. Sign-in a domain controller using administrative credentials
+1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer
+1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**
+1. Select the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**
+1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**
@@ -247,18 +246,18 @@ The domain controllers have a certificate that include the new CRL distribution
Export the enterprise root certificate
-1. Sign-in a domain controller using administrative credentials.
-1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-1. Select the **Certification Path** tab. In the **Certification path** view, select the topmost node and select **View Certificate**.
+1. Sign-in a domain controller using administrative credentials
+1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer
+1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**
+1. Select the **Certification Path** tab. In the **Certification path** view, select the topmost node and select **View Certificate**
-1. In the new **Certificate** dialog box, select the **Details** tab. Select **Copy to File**.
+1. In the new **Certificate** dialog box, select the **Details** tab. Select **Copy to File**
-1. In the **Certificate Export Wizard**, select **Next**.
-1. On the **Export File Format** page of the wizard, select **Next**.
-1. On the **File to Export** page in the wizard, type the name and location of the root certificate and select **Next**. Select **Finish** and then select **OK** to close the success dialog box.
+1. In the **Certificate Export Wizard**, select **Next**
+1. On the **Export File Format** page of the wizard, select **Next**
+1. On the **File to Export** page in the wizard, type the name and location of the root certificate and select **Next**. Select **Finish** and then select **OK** to close the success dialog box
-1. Select **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**.
+1. Select **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
index b6ee78a048..e887a13908 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
@@ -45,6 +45,7 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
The configuration of the enterprise PKI to support Windows Hello for Business consists of the following steps (expand each step to learn more):
+
Configure domain controller certificates
@@ -92,7 +93,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
> [!IMPORTANT]
-> If you plan to deploy Azure AD joined devices, and require single sign-on (SSO) when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
+> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
## Configure and deploy certificates to domain controllers
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
index 0601e2412a..78318bb1ed 100644
--- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
+++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
@@ -7,6 +7,7 @@ ms.topic: include
Expand the following sections to configure the group policy for domain controllers and validate the certificate deployment.
+
Configure automatic certificate enrollment for the domain controllers
@@ -28,6 +29,7 @@ Domain controllers automatically request a certificate from the *Domain controll
+
Deploy the domain controller auto certificate enrollment GPO
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md
index 256c308400..a5f284c022 100644
--- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md
+++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md
@@ -13,7 +13,7 @@ By default, the Active Directory CA provides and publishes the *Kerberos Authent
> [!IMPORTANT]
> The certificates issued to the domain controllers must meet the following requirements:
-> - The *Certificate Revocation List (CRL)* distribution point extension must points to a valid CRL, or an *Authority Information Access (AIA)* extension that points to an Online Certificate Status Protocol (OCSP) responder
+> - The *Certificate Revocation List (CRL) distribution point* extension must point to a valid CRL, or an *Authority Information Access (AIA)* extension that points to an Online Certificate Status Protocol (OCSP) responder
> - Optionally, the certificate *Subject* section could contain the directory path of the server object (the distinguished name)
> - The certificate *Key Usage* section must contain *Digital Signature* and *Key Encipherment*
> - Optionally, the certificate *Basic Constraints* section should contain: `[Subject Type=End Entity, Path Length Constraint=None]`