Updates

2025-06-18 20:03:40 +00:00 · 2022-11-15 11:48:35 -05:00
parent 67af28c275
commit 97bd9e00e1
4 changed files with 89 additions and 103 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@ -1,53 +1,57 @@
 ---
-title: Deploying Certificates to Key Trust Users to Enable RDP
+title: Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
-description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
+description: Learn how to deploy certificates to a cloud Kerberos trust and key trust user to enable remote desktop with supplied credentials
 ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
-ms.reviewer: prsriva
+ms.reviewer: erikdau
 ms.collection:
  - M365-identity-device-management
  - ContentEngagementFY23
-ms.topic: article
+ms.topic: how-to
 localizationpriority: medium
-ms.date: 02/22/2021
+ms.date: 11/15/2022
 appliesto:
-  - ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H2 and later</a>
  - ✅ <b>Windows 11</b>
  - ✅ <b>Hybrid deployment</b>
  - ✅ <b>Key trust</b>
  - ✅ <b>Cloud Kerberos trust</b>
 ms.technology: itpro-security
 ---
-# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP
+# Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
 ✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
 ✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\
 ✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
-This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user.
+<br>
-Three approaches are documented here:
+---
-1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy.
+Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For *cloud Kerberos trust* and *certificate trust* deployments, the creation of this certificate occurs at container creation time.
-1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune.
+This document discusses three approaches for cloud Kerberos trust and key trust deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
-1. Working with non-Microsoft enterprise certificate authorities.
+- Deploy certificates to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
 - Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
 - Work with non-Microsoft enterprise certificate authorities
-## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
+## Deploy certificates to a hybrid joined devices using an on-premises Active Directory Certificate enrollment policy
 To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must:
 1. Create a suitable certificate template
 1. Deploy certificates to your users based on the template
 ### Create a Windows Hello for Business certificate template
-1. Sign in to your issuing certificate authority (CA).
+Follow these steps to create a certificate template:
-1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc).
+1. Sign in to your issuing certificate authority (CA)
-
+1. Open the **Certificate Authority** mmc snap-in console (%windir%\system32\certsrv.msc)
-1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
+1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list
-
+1. Right-click **Certificate Templates** and then select **Manage** to open the **Certificate Templates** console
-1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console.
+1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
 1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
    ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png)
@ -55,63 +59,45 @@ Three approaches are documented here:
    1. Clear the **Show resulting changes** check box
    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
 1. On the **General** tab:
-    1. Specify a Template display name, such as **WHfB Certificate Authentication**
+    1. Specify a Template display name, for example *WHfB Certificate Authentication*
    1. Set the validity period to the desired value
-    1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example).
+    1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example)
-
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
 1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
 1. On the **Subject Name** tab:
    1. Select the **Build from this Active Directory** information button if it is not already selected
    1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
    1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
 1. On the **Request Handling** tab:
    1. Select the **Renew with same key** check box
-    1. Set the Purpose to **Signature and smartcard logon**
+    1. Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
-        1. Click **Yes** when prompted to change the certificate purpose
+    1. Select **Prompt the user during enrollment**
    1. Click **Prompt the user during enrollment**
 1. On the **Cryptography** tab:
    1. Set the Provider Category to **Key Storage Provider**
    1. Set the Algorithm name to **RSA**
    1. Set the minimum key size to **2048**
    1. Select **Requests must use one of the following providers**
-    1. Tick **Microsoft Software Key Storage Provider**
+    1. Select **Microsoft Software Key Storage Provider**
    1. Set the Request hash to **SHA256**
 1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them
 1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
 1. Close the Certificate Templates console
-1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
+1. Open an elevated command prompt and change to a temporary working directory
-
+1. Execute the following command, replacing `\<TemplateName\>` with the Template name you took note of earlier in step 7c
-1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
+    `certutil -dstemplate \<TemplateName\> \<TemplateName.txt\>`
 1. Close the Certificate Templates console.
 1. Open an elevated command prompt and change to a temporary working directory.
 1. Execute the following command:
    `certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txt`
    Replace \<TemplateName\> with the Template name you took note of earlier in step 7.
 1. Open the text file created by the command above.
-    1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
+    1. Delete the last line of the output from the file that reads `CertUtil: -dsTemplate command completed successfully.`
-    1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
+    1. Modify the line that reads `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
 1. Save the text file.
 1. Update the certificate template by executing the following command:
-
+    `certutil -dsaddtemplate \<TemplateName\>.txt`
-    certutil -dsaddtemplate \<TemplateName\>.txt
+1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
    ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png)
-1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
+1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list.
-
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
 1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
 ### Requesting a Certificate
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@ -194,7 +194,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
 ## Hybrid deployment
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
 ### Related to hybrid deployment
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@ -5,7 +5,7 @@ ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
-ms.reviewer: prsriva
+ms.reviewer: erikdau
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@ -2,12 +2,12 @@
  href: index.yml
 - name: Overview
  items:
-  - name: Windows Hello for Business Overview
+  - name: Windows Hello for Business overview
    href: hello-overview.md
 - name: Concepts
  expanded: true
  items:
-  - name: Passwordless Strategy
+  - name: Passwordless strategy
    href: passwordless-strategy.md
  - name: Why a PIN is better than a password
    href: hello-why-pin-is-better-than-password.md
@ -15,7 +15,7 @@
    href: hello-biometrics-in-enterprise.md
  - name: How Windows Hello for Business works
    href: hello-how-it-works.md
-  - name: Technical Deep Dive
+  - name: Technical deep dive
    items:
    - name: Provisioning
      href: hello-how-it-works-provisioning.md
@ -25,91 +25,91 @@
      href: webauthn-apis.md
 - name: How-to Guides
  items:
-  - name: Windows Hello for Business Deployment Overview
+  - name: Windows Hello for Business deployment overview
    href: hello-deployment-guide.md
-  - name: Planning a Windows Hello for Business Deployment
+  - name: Planning a Windows Hello for Business deployment
    href: hello-planning-guide.md
-  - name: Deployment Prerequisite Overview
+  - name: Deployment prerequisite overview
    href: hello-identity-verification.md
  - name: Prepare people to use Windows Hello
    href: hello-prepare-people-to-use.md
-  - name: Deployment Guides
+  - name: Deployment guides
    items:
-    - name: Hybrid Cloud Kerberos Trust Deployment
+    - name: Hybrid cloud Kerberos trust deployment
      href: hello-hybrid-cloud-kerberos-trust.md
-    - name: Hybrid Azure AD Joined Key Trust
+    - name: Hybrid Azure AD Join key trust
      items: 
-      - name: Hybrid Azure AD Joined Key Trust Deployment
+      - name: Hybrid Azure AD join key trust deployment
        href: hello-hybrid-key-trust.md
      - name: Prerequisites
        href: hello-hybrid-key-trust-prereqs.md
-      - name: New Installation Baseline
+      - name: New installation baseline
        href: hello-hybrid-key-new-install.md
-      - name: Configure Directory Synchronization
+      - name: Configure directory synchronization
        href: hello-hybrid-key-trust-dirsync.md
-      - name: Configure Azure Device Registration
+      - name: Configure Azure AD device registration
        href: hello-hybrid-key-trust-devreg.md
      - name: Configure Windows Hello for Business settings
        href: hello-hybrid-key-whfb-settings.md
-      - name: Sign-in and Provisioning
+      - name: Sign-in and provisioning
        href: hello-hybrid-key-whfb-provision.md
-    - name: Hybrid Azure AD Joined Certificate Trust
+    - name: Hybrid Azure AD join certificate trust
      items: 
-      - name: Hybrid Azure AD Joined Certificate Trust Deployment
+      - name: Hybrid Azure AD join certificate trust deployment
        href: hello-hybrid-cert-trust.md
      - name: Prerequisites
        href: hello-hybrid-cert-trust-prereqs.md
-      - name: New Installation Baseline
+      - name: New installation baseline
        href: hello-hybrid-cert-new-install.md
-      - name: Configure Azure Device Registration
+      - name: Configure Azure AD device registration
        href: hello-hybrid-cert-trust-devreg.md
      - name: Configure Windows Hello for Business settings
        href: hello-hybrid-cert-whfb-settings.md
-      - name: Sign-in and Provisioning
+      - name: Sign-in and provisioning
        href: hello-hybrid-cert-whfb-provision.md
-    - name: On-premises SSO for Azure AD Joined Devices
+    - name: On-premises singe-sign-on (SSO) for Azure AD joined devices
      items: 
-      - name: On-premises SSO for Azure AD Joined Devices Deployment 
+      - name: On-premises SSO for Azure AD joined devices
        href: hello-hybrid-aadj-sso.md
-      - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+      - name: Configure Azure AD joined devices for on-premises SSO
        href: hello-hybrid-aadj-sso-base.md
-      - name: Using Certificates for AADJ On-premises Single-sign On
+      - name: Using certificates for on-premises SSO
        href: hello-hybrid-aadj-sso-cert.md
    - name: On-premises Key Trust
      items: 
-      - name: On-premises Key Trust Deployment
+      - name: Key trust deployment
        href: hello-deployment-key-trust.md
-      - name: Validate Active Directory Prerequisites
+      - name: Validate Active Directory prerequisites
        href: hello-key-trust-validate-ad-prereq.md
-      - name: Validate and Configure Public Key Infrastructure
+      - name: Validate and configure Public Key Infrastructure (PKI)
        href: hello-key-trust-validate-pki.md
-      - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+      - name: Prepare and deploy Active Directory Federation Services (AD FS)
        href: hello-key-trust-adfs.md
-      - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+      - name: Validate and deploy multi-factor authentication (MFA) services
        href: hello-key-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-key-trust-policy-settings.md
-    - name: On-premises Certificate Trust
+    - name: On-premises certificate trust
      items: 
-      - name: On-premises Certificate Trust Deployment
+      - name: Certificate trust deployment
        href: hello-deployment-cert-trust.md
-      - name: Validate Active Directory Prerequisites
+      - name: Validate Active Directory prerequisites
        href: hello-cert-trust-validate-ad-prereq.md
-      - name: Validate and Configure Public Key Infrastructure
+      - name: Validate and configure Public Key Infrastructure (PKI)
        href: hello-cert-trust-validate-pki.md
-      - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+      - name: Prepare and Deploy Active Directory Federation Services (AD FS)
        href: hello-cert-trust-adfs.md
-      - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+      - name: Validate and deploy multi-factor authentication (MFA) services
        href: hello-cert-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-cert-trust-policy-settings.md
    - name: Azure AD join cloud only deployment
      href: hello-aad-join-cloud-only-deploy.md
-    - name: Managing Windows Hello for Business in your organization
+    - name: Manage Windows Hello for Business in your organization
      href: hello-manage-in-organization.md
-    - name: Deploying Certificates to Key Trust Users to Enable RDP
+    - name: Deploy certificates for remote desktop (RDP) connections
      href: hello-deployment-rdp-certs.md
-  - name: Windows Hello for Business Features
+  - name: Windows Hello for Business features
    items:
    - name: Conditional Access 
      href: hello-feature-conditional-access.md
@ -135,7 +135,7 @@
      href: hello-and-password-changes.md
 - name: Reference
  items:
-  - name: Technology and Terminology
+  - name: Technology and terminology
    href: hello-how-it-works-technology.md
  - name: Frequently Asked Questions (FAQ)
    href: hello-faq.yml