From 97bd9e00e19877e434de2b9ac7a37f0c752b1c49 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 11:48:35 -0500
Subject: [PATCH] Updates
---
.../hello-deployment-rdp-certs.md | 112 ++++++++----------
.../hello-how-it-works-technology.md | 2 +-
.../hello-hybrid-cloud-kerberos-trust.md | 2 +-
.../hello-for-business/toc.yml | 76 ++++++------
4 files changed, 89 insertions(+), 103 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 85e91958b3..3c3763245b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,53 +1,57 @@
---
-title: Deploying Certificates to Key Trust Users to Enable RDP
-description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
+title: Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
+description: Learn how to deploy certificates to a cloud Kerberos trust and key trust user to enable remote desktop with supplied credentials
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
-ms.reviewer: prsriva
+ms.reviewer: erikdau
ms.collection:
- M365-identity-device-management
- ContentEngagementFY23
-ms.topic: article
+ms.topic: how-to
localizationpriority: medium
-ms.date: 02/22/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
- - ✅ Cloud Kerberos trust
+ms.date: 11/15/2022
+appliesto:
+ - ✅ Windows 10, version 21H2 and later
ms.technology: itpro-security
---
-# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP
+# Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
-This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user.
+
-Three approaches are documented here:
+---
-1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy.
+Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For *cloud Kerberos trust* and *certificate trust* deployments, the creation of this certificate occurs at container creation time.
-1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune.
+This document discusses three approaches for cloud Kerberos trust and key trust deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
-1. Working with non-Microsoft enterprise certificate authorities.
+- Deploy certificates to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
+- Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
+- Work with non-Microsoft enterprise certificate authorities
-## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
+## Deploy certificates to a hybrid joined devices using an on-premises Active Directory Certificate enrollment policy
+
+To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must:
+
+1. Create a suitable certificate template
+1. Deploy certificates to your users based on the template
### Create a Windows Hello for Business certificate template
-1. Sign in to your issuing certificate authority (CA).
+Follow these steps to create a certificate template:
-1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc).
-
-1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
-
-1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console.
-
-1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
+1. Sign in to your issuing certificate authority (CA)
+1. Open the **Certificate Authority** mmc snap-in console (%windir%\system32\certsrv.msc)
+1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list
+1. Right-click **Certificate Templates** and then select **Manage** to open the **Certificate Templates** console
+1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
@@ -55,63 +59,45 @@ Three approaches are documented here:
1. Clear the **Show resulting changes** check box
1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
-
1. On the **General** tab:
- 1. Specify a Template display name, such as **WHfB Certificate Authentication**
+ 1. Specify a Template display name, for example *WHfB Certificate Authentication*
1. Set the validity period to the desired value
- 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example).
-
-1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
-
+ 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example)
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
1. On the **Subject Name** tab:
1. Select the **Build from this Active Directory** information button if it is not already selected
1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
1. On the **Request Handling** tab:
1. Select the **Renew with same key** check box
- 1. Set the Purpose to **Signature and smartcard logon**
- 1. Click **Yes** when prompted to change the certificate purpose
- 1. Click **Prompt the user during enrollment**
-
+ 1. Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
+ 1. Select **Prompt the user during enrollment**
1. On the **Cryptography** tab:
1. Set the Provider Category to **Key Storage Provider**
1. Set the Algorithm name to **RSA**
1. Set the minimum key size to **2048**
1. Select **Requests must use one of the following providers**
- 1. Tick **Microsoft Software Key Storage Provider**
+ 1. Select **Microsoft Software Key Storage Provider**
1. Set the Request hash to **SHA256**
+1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them
+1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
+1. Close the Certificate Templates console
-1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
-
-1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
-
-1. Close the Certificate Templates console.
-
-1. Open an elevated command prompt and change to a temporary working directory.
-
-1. Execute the following command:
-
- `certutil -dstemplate \ \> \.txt`
-
- Replace \ with the Template name you took note of earlier in step 7.
-
+1. Open an elevated command prompt and change to a temporary working directory
+1. Execute the following command, replacing `\` with the Template name you took note of earlier in step 7c
+ `certutil -dstemplate \ \`
1. Open the text file created by the command above.
- 1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
- 1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
-
+ 1. Delete the last line of the output from the file that reads `CertUtil: -dsTemplate command completed successfully.`
+ 1. Modify the line that reads `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
1. Save the text file.
-
1. Update the certificate template by executing the following command:
-
- certutil -dsaddtemplate \.txt
-
-1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
+ `certutil -dsaddtemplate \.txt`
+1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
-1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
-
-1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
+1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list.
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
### Requesting a Certificate
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 719c27216d..f48952acdf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -194,7 +194,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
## Hybrid deployment
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
### Related to hybrid deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index d9cd8d2065..beaa22b78b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
-ms.reviewer: prsriva
+ms.reviewer: erikdau
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 2c22050ab0..55cadf5a94 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -2,12 +2,12 @@
href: index.yml
- name: Overview
items:
- - name: Windows Hello for Business Overview
+ - name: Windows Hello for Business overview
href: hello-overview.md
- name: Concepts
expanded: true
items:
- - name: Passwordless Strategy
+ - name: Passwordless strategy
href: passwordless-strategy.md
- name: Why a PIN is better than a password
href: hello-why-pin-is-better-than-password.md
@@ -15,7 +15,7 @@
href: hello-biometrics-in-enterprise.md
- name: How Windows Hello for Business works
href: hello-how-it-works.md
- - name: Technical Deep Dive
+ - name: Technical deep dive
items:
- name: Provisioning
href: hello-how-it-works-provisioning.md
@@ -25,91 +25,91 @@
href: webauthn-apis.md
- name: How-to Guides
items:
- - name: Windows Hello for Business Deployment Overview
+ - name: Windows Hello for Business deployment overview
href: hello-deployment-guide.md
- - name: Planning a Windows Hello for Business Deployment
+ - name: Planning a Windows Hello for Business deployment
href: hello-planning-guide.md
- - name: Deployment Prerequisite Overview
+ - name: Deployment prerequisite overview
href: hello-identity-verification.md
- name: Prepare people to use Windows Hello
href: hello-prepare-people-to-use.md
- - name: Deployment Guides
+ - name: Deployment guides
items:
- - name: Hybrid Cloud Kerberos Trust Deployment
+ - name: Hybrid cloud Kerberos trust deployment
href: hello-hybrid-cloud-kerberos-trust.md
- - name: Hybrid Azure AD Joined Key Trust
+ - name: Hybrid Azure AD Join key trust
items:
- - name: Hybrid Azure AD Joined Key Trust Deployment
+ - name: Hybrid Azure AD join key trust deployment
href: hello-hybrid-key-trust.md
- name: Prerequisites
href: hello-hybrid-key-trust-prereqs.md
- - name: New Installation Baseline
+ - name: New installation baseline
href: hello-hybrid-key-new-install.md
- - name: Configure Directory Synchronization
+ - name: Configure directory synchronization
href: hello-hybrid-key-trust-dirsync.md
- - name: Configure Azure Device Registration
+ - name: Configure Azure AD device registration
href: hello-hybrid-key-trust-devreg.md
- name: Configure Windows Hello for Business settings
href: hello-hybrid-key-whfb-settings.md
- - name: Sign-in and Provisioning
+ - name: Sign-in and provisioning
href: hello-hybrid-key-whfb-provision.md
- - name: Hybrid Azure AD Joined Certificate Trust
+ - name: Hybrid Azure AD join certificate trust
items:
- - name: Hybrid Azure AD Joined Certificate Trust Deployment
+ - name: Hybrid Azure AD join certificate trust deployment
href: hello-hybrid-cert-trust.md
- name: Prerequisites
href: hello-hybrid-cert-trust-prereqs.md
- - name: New Installation Baseline
+ - name: New installation baseline
href: hello-hybrid-cert-new-install.md
- - name: Configure Azure Device Registration
+ - name: Configure Azure AD device registration
href: hello-hybrid-cert-trust-devreg.md
- name: Configure Windows Hello for Business settings
href: hello-hybrid-cert-whfb-settings.md
- - name: Sign-in and Provisioning
+ - name: Sign-in and provisioning
href: hello-hybrid-cert-whfb-provision.md
- - name: On-premises SSO for Azure AD Joined Devices
+ - name: On-premises singe-sign-on (SSO) for Azure AD joined devices
items:
- - name: On-premises SSO for Azure AD Joined Devices Deployment
+ - name: On-premises SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
- - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+ - name: Configure Azure AD joined devices for on-premises SSO
href: hello-hybrid-aadj-sso-base.md
- - name: Using Certificates for AADJ On-premises Single-sign On
+ - name: Using certificates for on-premises SSO
href: hello-hybrid-aadj-sso-cert.md
- name: On-premises Key Trust
items:
- - name: On-premises Key Trust Deployment
+ - name: Key trust deployment
href: hello-deployment-key-trust.md
- - name: Validate Active Directory Prerequisites
+ - name: Validate Active Directory prerequisites
href: hello-key-trust-validate-ad-prereq.md
- - name: Validate and Configure Public Key Infrastructure
+ - name: Validate and configure Public Key Infrastructure (PKI)
href: hello-key-trust-validate-pki.md
- - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ - name: Prepare and deploy Active Directory Federation Services (AD FS)
href: hello-key-trust-adfs.md
- - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ - name: Validate and deploy multi-factor authentication (MFA) services
href: hello-key-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-key-trust-policy-settings.md
- - name: On-premises Certificate Trust
+ - name: On-premises certificate trust
items:
- - name: On-premises Certificate Trust Deployment
+ - name: Certificate trust deployment
href: hello-deployment-cert-trust.md
- - name: Validate Active Directory Prerequisites
+ - name: Validate Active Directory prerequisites
href: hello-cert-trust-validate-ad-prereq.md
- - name: Validate and Configure Public Key Infrastructure
+ - name: Validate and configure Public Key Infrastructure (PKI)
href: hello-cert-trust-validate-pki.md
- - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ - name: Prepare and Deploy Active Directory Federation Services (AD FS)
href: hello-cert-trust-adfs.md
- - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ - name: Validate and deploy multi-factor authentication (MFA) services
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- name: Azure AD join cloud only deployment
href: hello-aad-join-cloud-only-deploy.md
- - name: Managing Windows Hello for Business in your organization
+ - name: Manage Windows Hello for Business in your organization
href: hello-manage-in-organization.md
- - name: Deploying Certificates to Key Trust Users to Enable RDP
+ - name: Deploy certificates for remote desktop (RDP) connections
href: hello-deployment-rdp-certs.md
- - name: Windows Hello for Business Features
+ - name: Windows Hello for Business features
items:
- name: Conditional Access
href: hello-feature-conditional-access.md
@@ -135,7 +135,7 @@
href: hello-and-password-changes.md
- name: Reference
items:
- - name: Technology and Terminology
+ - name: Technology and terminology
href: hello-how-it-works-technology.md
- name: Frequently Asked Questions (FAQ)
href: hello-faq.yml