diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 85e91958b3..3c3763245b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -1,53 +1,57 @@ --- -title: Deploying Certificates to Key Trust Users to Enable RDP -description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials +title: Deploy certificates to cloud Kerberos trust and key trust users to enable RDP +description: Learn how to deploy certificates to a cloud Kerberos trust and key trust user to enable remote desktop with supplied credentials ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.reviewer: prsriva +ms.reviewer: erikdau ms.collection: - M365-identity-device-management - ContentEngagementFY23 -ms.topic: article +ms.topic: how-to localizationpriority: medium -ms.date: 02/22/2021 -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust - - ✅ Cloud Kerberos trust +ms.date: 11/15/2022 +appliesto: + - ✅ Windows 10, version 21H2 and later ms.technology: itpro-security --- -# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP +# Deploy certificates to cloud Kerberos trust and key trust users to enable RDP -Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time. +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join) -This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user. +
-Three approaches are documented here: +--- -1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy. +Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For *cloud Kerberos trust* and *certificate trust* deployments, the creation of this certificate occurs at container creation time. -1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune. +This document discusses three approaches for cloud Kerberos trust and key trust deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user: -1. Working with non-Microsoft enterprise certificate authorities. +- Deploy certificates to hybrid joined devices using an on-premises Active Directory certificate enrollment policy +- Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune +- Work with non-Microsoft enterprise certificate authorities -## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy +## Deploy certificates to a hybrid joined devices using an on-premises Active Directory Certificate enrollment policy + +To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must: + +1. Create a suitable certificate template +1. Deploy certificates to your users based on the template ### Create a Windows Hello for Business certificate template -1. Sign in to your issuing certificate authority (CA). +Follow these steps to create a certificate template: -1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc). - -1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list. - -1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console. - -1. Right-click the **Smartcard Logon** template and click **Duplicate Template** +1. Sign in to your issuing certificate authority (CA) +1. Open the **Certificate Authority** mmc snap-in console (%windir%\system32\certsrv.msc) +1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list +1. Right-click **Certificate Templates** and then select **Manage** to open the **Certificate Templates** console +1. Right-click the **Smartcard Logon** template and select **Duplicate Template** ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png) @@ -55,63 +59,45 @@ Three approaches are documented here: 1. Clear the **Show resulting changes** check box 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list - 1. On the **General** tab: - 1. Specify a Template display name, such as **WHfB Certificate Authentication** + 1. Specify a Template display name, for example *WHfB Certificate Authentication* 1. Set the validity period to the desired value - 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example). - -1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. - + 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example) +1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon** 1. On the **Subject Name** tab: 1. Select the **Build from this Active Directory** information button if it is not already selected 1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected 1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** 1. On the **Request Handling** tab: 1. Select the **Renew with same key** check box - 1. Set the Purpose to **Signature and smartcard logon** - 1. Click **Yes** when prompted to change the certificate purpose - 1. Click **Prompt the user during enrollment** - + 1. Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose + 1. Select **Prompt the user during enrollment** 1. On the **Cryptography** tab: 1. Set the Provider Category to **Key Storage Provider** 1. Set the Algorithm name to **RSA** 1. Set the minimum key size to **2048** 1. Select **Requests must use one of the following providers** - 1. Tick **Microsoft Software Key Storage Provider** + 1. Select **Microsoft Software Key Storage Provider** 1. Set the Request hash to **SHA256** +1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them +1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates +1. Close the Certificate Templates console -1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them. - -1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates. - -1. Close the Certificate Templates console. - -1. Open an elevated command prompt and change to a temporary working directory. - -1. Execute the following command: - - `certutil -dstemplate \ \> \.txt` - - Replace \ with the Template name you took note of earlier in step 7. - +1. Open an elevated command prompt and change to a temporary working directory +1. Execute the following command, replacing `\` with the Template name you took note of earlier in step 7c + `certutil -dstemplate \ \` 1. Open the text file created by the command above. - 1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.** - 1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"** - + 1. Delete the last line of the output from the file that reads `CertUtil: -dsTemplate command completed successfully.` + 1. Modify the line that reads `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"` 1. Save the text file. - 1. Update the certificate template by executing the following command: - - certutil -dsaddtemplate \.txt - -1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue** + `certutil -dsaddtemplate \.txt` +1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue** ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png) -1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list. - -1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**. +1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list. +1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service** ### Requesting a Certificate diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 719c27216d..f48952acdf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -194,7 +194,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr ## Hybrid deployment -The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. +The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust. ### Related to hybrid deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index d9cd8d2065..beaa22b78b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -5,7 +5,7 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.reviewer: prsriva +ms.reviewer: erikdau ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 2c22050ab0..55cadf5a94 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -2,12 +2,12 @@ href: index.yml - name: Overview items: - - name: Windows Hello for Business Overview + - name: Windows Hello for Business overview href: hello-overview.md - name: Concepts expanded: true items: - - name: Passwordless Strategy + - name: Passwordless strategy href: passwordless-strategy.md - name: Why a PIN is better than a password href: hello-why-pin-is-better-than-password.md @@ -15,7 +15,7 @@ href: hello-biometrics-in-enterprise.md - name: How Windows Hello for Business works href: hello-how-it-works.md - - name: Technical Deep Dive + - name: Technical deep dive items: - name: Provisioning href: hello-how-it-works-provisioning.md @@ -25,91 +25,91 @@ href: webauthn-apis.md - name: How-to Guides items: - - name: Windows Hello for Business Deployment Overview + - name: Windows Hello for Business deployment overview href: hello-deployment-guide.md - - name: Planning a Windows Hello for Business Deployment + - name: Planning a Windows Hello for Business deployment href: hello-planning-guide.md - - name: Deployment Prerequisite Overview + - name: Deployment prerequisite overview href: hello-identity-verification.md - name: Prepare people to use Windows Hello href: hello-prepare-people-to-use.md - - name: Deployment Guides + - name: Deployment guides items: - - name: Hybrid Cloud Kerberos Trust Deployment + - name: Hybrid cloud Kerberos trust deployment href: hello-hybrid-cloud-kerberos-trust.md - - name: Hybrid Azure AD Joined Key Trust + - name: Hybrid Azure AD Join key trust items: - - name: Hybrid Azure AD Joined Key Trust Deployment + - name: Hybrid Azure AD join key trust deployment href: hello-hybrid-key-trust.md - name: Prerequisites href: hello-hybrid-key-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-key-new-install.md - - name: Configure Directory Synchronization + - name: Configure directory synchronization href: hello-hybrid-key-trust-dirsync.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-key-trust-devreg.md - name: Configure Windows Hello for Business settings href: hello-hybrid-key-whfb-settings.md - - name: Sign-in and Provisioning + - name: Sign-in and provisioning href: hello-hybrid-key-whfb-provision.md - - name: Hybrid Azure AD Joined Certificate Trust + - name: Hybrid Azure AD join certificate trust items: - - name: Hybrid Azure AD Joined Certificate Trust Deployment + - name: Hybrid Azure AD join certificate trust deployment href: hello-hybrid-cert-trust.md - name: Prerequisites href: hello-hybrid-cert-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-cert-new-install.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-cert-trust-devreg.md - name: Configure Windows Hello for Business settings href: hello-hybrid-cert-whfb-settings.md - - name: Sign-in and Provisioning + - name: Sign-in and provisioning href: hello-hybrid-cert-whfb-provision.md - - name: On-premises SSO for Azure AD Joined Devices + - name: On-premises singe-sign-on (SSO) for Azure AD joined devices items: - - name: On-premises SSO for Azure AD Joined Devices Deployment + - name: On-premises SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md - - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + - name: Configure Azure AD joined devices for on-premises SSO href: hello-hybrid-aadj-sso-base.md - - name: Using Certificates for AADJ On-premises Single-sign On + - name: Using certificates for on-premises SSO href: hello-hybrid-aadj-sso-cert.md - name: On-premises Key Trust items: - - name: On-premises Key Trust Deployment + - name: Key trust deployment href: hello-deployment-key-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-key-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Validate and configure Public Key Infrastructure (PKI) href: hello-key-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and deploy Active Directory Federation Services (AD FS) href: hello-key-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-key-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-key-trust-policy-settings.md - - name: On-premises Certificate Trust + - name: On-premises certificate trust items: - - name: On-premises Certificate Trust Deployment + - name: Certificate trust deployment href: hello-deployment-cert-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-cert-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Validate and configure Public Key Infrastructure (PKI) href: hello-cert-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and Deploy Active Directory Federation Services (AD FS) href: hello-cert-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-cert-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - name: Azure AD join cloud only deployment href: hello-aad-join-cloud-only-deploy.md - - name: Managing Windows Hello for Business in your organization + - name: Manage Windows Hello for Business in your organization href: hello-manage-in-organization.md - - name: Deploying Certificates to Key Trust Users to Enable RDP + - name: Deploy certificates for remote desktop (RDP) connections href: hello-deployment-rdp-certs.md - - name: Windows Hello for Business Features + - name: Windows Hello for Business features items: - name: Conditional Access href: hello-feature-conditional-access.md @@ -135,7 +135,7 @@ href: hello-and-password-changes.md - name: Reference items: - - name: Technology and Terminology + - name: Technology and terminology href: hello-how-it-works-technology.md - name: Frequently Asked Questions (FAQ) href: hello-faq.yml