mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 03:43:39 +00:00
Transitioning doc ownership
This commit is contained in:
Matthew Palko
@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -17,7 +17,6 @@ ms.reviewer:
|
||||
---
|
||||
# WebAuthn APIs for password-less authentication on Windows
|
||||
|
||||
|
||||
### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can use password-less authentication.
|
||||
|
||||
Microsoft has long been a proponent to do away with passwords.
|
||||
@ -26,6 +25,7 @@ These APIs allow Microsoft developer partners and the developer community to use
|
||||
as a password-less authentication mechanism for their applications on Windows devices.
|
||||
|
||||
#### What does this mean?
|
||||
|
||||
This opens opportunities for developers or relying parties (RPs') to enable password-less authentication.
|
||||
They can now use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md)
|
||||
as a password-less multi-factor credential for authentication.
|
||||
@ -42,4 +42,5 @@ Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to e
|
||||
This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging.
|
||||
|
||||
#### Where can developers learn more?
|
||||
|
||||
The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -8,8 +8,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -8,8 +8,8 @@ ms.mktglfcycl: explore
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -8,8 +8,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,29 +19,18 @@ ms.reviewer:
|
||||
# On Premises Key Trust Deployment
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
|
||||
|
||||
Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
|
||||
|
||||
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
|
||||
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
|
||||
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
|
||||
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
|
||||
5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -8,8 +8,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -9,8 +9,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -8,8 +8,8 @@ metadata:
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,10 +19,11 @@ ms.reviewer:
|
||||
# Azure AD Join Single Sign-on Deployment
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Azure Active Directory joined
|
||||
- Hybrid deployment
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Azure Active Directory joined
|
||||
- Hybrid deployment
|
||||
|
||||
Windows Hello for Business combined with Azure Active Directory joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory joined devices using Windows Hello for Business, using a key or a certificate.
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,25 +19,25 @@ ms.reviewer:
|
||||
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
|
||||
|
||||
* [Active Directory](#active-directory)
|
||||
* [Public Key Infrastructure](#public-key-infrastructure)
|
||||
* [Azure Active Directory](#azure-active-directory)
|
||||
* [Multifactor Authentication Services](#multifactor-authentication-services)
|
||||
|
||||
- [Active Directory](#active-directory)
|
||||
- [Public Key Infrastructure](#public-key-infrastructure)
|
||||
- [Azure Active Directory](#azure-active-directory)
|
||||
- [Multifactor Authentication Services](#multifactor-authentication-services)
|
||||
|
||||
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration.
|
||||
|
||||
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers.
|
||||
|
||||
## Active Directory ##
|
||||
|
||||
Production environments should follow Active Directory best practices regarding the number and placement of domain controllers to ensure adequate authentication throughout the organization.
|
||||
|
||||
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,10 +19,11 @@ ms.reviewer:
|
||||
# Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,11 +19,11 @@ ms.reviewer:
|
||||
# Hybrid Azure AD joined Certificate Trust Deployment
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
|
||||
@ -31,12 +31,14 @@ It is recommended that you review the Windows Hello for Business planning guide
|
||||
|
||||
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
|
||||
|
||||
## New Deployment Baseline ##
|
||||
## New Deployment Baseline
|
||||
|
||||
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
|
||||
|
||||
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
|
||||
|
||||
## Federated Baseline ##
|
||||
## Federated Baseline
|
||||
|
||||
The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
|
||||
|
||||
Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
|
||||
@ -49,6 +51,7 @@ Regardless of the baseline you choose, your next step is to familiarize yourself
|
||||
<hr>
|
||||
|
||||
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
|
||||
|
||||
1. Overview (*You are here*)
|
||||
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -20,12 +20,12 @@ ms.reviewer:
|
||||
# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate Trust
|
||||
|
||||
|
||||
## Directory Synchronization
|
||||
|
||||
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,11 +19,11 @@ ms.reviewer:
|
||||
# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
## Policy Configuration
|
||||
|
||||
@ -35,9 +35,10 @@ Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 C
|
||||
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
|
||||
|
||||
Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
|
||||
* Enable Windows Hello for Business
|
||||
* Use certificate for on-premises authentication
|
||||
* Enable automatic enrollment of certificates
|
||||
|
||||
- Enable Windows Hello for Business
|
||||
- Use certificate for on-premises authentication
|
||||
- Enable automatic enrollment of certificates
|
||||
|
||||
### Configure Domain Controllers for Automatic Certificate Enrollment
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,21 +19,22 @@ ms.reviewer:
|
||||
# Configure Hybrid Azure AD joined Windows Hello for Business
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
|
||||
> [!IMPORTANT]
|
||||
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
|
||||
|
||||
The configuration for Windows Hello for Business is grouped in four categories. These categories are:
|
||||
* [Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
|
||||
* [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md)
|
||||
* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md)
|
||||
* [Group Policy](hello-hybrid-cert-whfb-settings-policy.md)
|
||||
|
||||
- [Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
|
||||
- [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md)
|
||||
- [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md)
|
||||
- [Group Policy](hello-hybrid-cert-whfb-settings-policy.md)
|
||||
|
||||
For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,19 +19,19 @@ ms.reviewer:
|
||||
# Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
|
||||
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies
|
||||
|
||||
* [Active Directory](#active-directory)
|
||||
* [Public Key Infrastructure](#public-key-infrastructure)
|
||||
* [Azure Active Directory](#azure-active-directory)
|
||||
* [Multifactor Authentication Services](#multifactor-authentication-services)
|
||||
|
||||
- [Active Directory](#active-directory)
|
||||
- [Public Key Infrastructure](#public-key-infrastructure)
|
||||
- [Azure Active Directory](#azure-active-directory)
|
||||
- [Multifactor Authentication Services](#multifactor-authentication-services)
|
||||
|
||||
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,11 +19,11 @@ ms.reviewer:
|
||||
# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
|
||||
|
||||
@ -36,6 +36,7 @@ You are ready to configure device registration for your hybrid environment. Hybr
|
||||
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
|
||||
|
||||
## Configure Azure for Device Registration
|
||||
|
||||
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
|
||||
|
||||
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal).
|
||||
@ -48,6 +49,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory
|
||||
<hr>
|
||||
|
||||
## Follow the Windows Hello for Business hybrid key trust deployment guide
|
||||
|
||||
1. [Overview](hello-hybrid-cert-trust.md)
|
||||
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
|
||||
|
||||
@ -19,21 +19,22 @@ ms.reviewer:
|
||||
# Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
|
||||
|
||||
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
|
||||
* [Directories](#directories)
|
||||
* [Public Key Infrastructure](#public-key-infrastructure)
|
||||
* [Directory Synchronization](#directory-synchronization)
|
||||
* [Federation](#federation-with-azure)
|
||||
* [Multifactor authentication](#multifactor-authentication)
|
||||
* [Device Registration](#device-registration)
|
||||
|
||||
- [Directories](#directories)
|
||||
- [Public Key Infrastructure](#public-key-infrastructure)
|
||||
- [Directory Synchronization](#directory-synchronization)
|
||||
- [Federation](#federation-with-azure)
|
||||
- [Multifactor authentication](#multifactor-authentication)
|
||||
- [Device Registration](#device-registration)
|
||||
|
||||
## Directories
|
||||
|
||||
@ -62,20 +63,21 @@ Review these requirements and those from the Windows Hello for Business planning
|
||||
<br>
|
||||
|
||||
## Public Key Infrastructure
|
||||
|
||||
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller.
|
||||
|
||||
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
|
||||
|
||||
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](/troubleshoot/windows-server/windows-security/requirements-domain-controller).
|
||||
|
||||
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder.
|
||||
* Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name).
|
||||
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
|
||||
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
|
||||
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
|
||||
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
|
||||
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
|
||||
* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](./hello-hybrid-key-whfb-settings-pki.md) for details.
|
||||
- The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder.
|
||||
- Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name).
|
||||
- The certificate Key Usage section must contain Digital Signature and Key Encipherment.
|
||||
- Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
|
||||
- The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
|
||||
- The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
|
||||
- The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
|
||||
- The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](./hello-hybrid-key-whfb-settings-pki.md) for details.
|
||||
|
||||
|
||||
> [!IMPORTANT]
|
||||
@ -96,6 +98,7 @@ The two directories used in hybrid deployments must be synchronized. You need A
|
||||
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect.
|
||||
|
||||
### Section Review
|
||||
|
||||
> [!div class="checklist"]
|
||||
> * Azure Active Directory Connect directory synchronization
|
||||
> * [Upgrade from DirSync](/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started)
|
||||
@ -103,8 +106,8 @@ Organizations using older directory synchronization technology, such as DirSync
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
## Federation with Azure
|
||||
|
||||
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later.
|
||||
|
||||
> [!div class="checklist"]
|
||||
@ -120,6 +123,7 @@ Windows Hello for Business is a strong, two-factor credential the helps organiza
|
||||
Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
|
||||
|
||||
### Section Review
|
||||
|
||||
> [!div class="checklist"]
|
||||
> * Azure MFA Service
|
||||
> * Windows Server 2016 AD FS and Azure (optional, if federated)
|
||||
@ -135,7 +139,6 @@ Organizations wanting to deploy hybrid key trust need their domain joined device
|
||||
|
||||
You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.
|
||||
|
||||
|
||||
### Section Checklist
|
||||
|
||||
> [!div class="checklist"]
|
||||
@ -161,6 +164,7 @@ For federated and non-federated environments, start with **Configure Windows Hel
|
||||
<hr>
|
||||
|
||||
## Follow the Windows Hello for Business hybrid key trust deployment guide
|
||||
|
||||
1. [Overview](hello-hybrid-key-trust.md)
|
||||
2. Prerequisites (*You are here*)
|
||||
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,15 +19,14 @@ ms.reviewer:
|
||||
# Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users.
|
||||
|
||||
|
||||
### Creating Security Groups
|
||||
|
||||
Windows Hello for Business uses a security group to simplify the deployment and management.
|
||||
@ -59,6 +58,7 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
|
||||
<hr>
|
||||
|
||||
## Follow the Windows Hello for Business hybrid key trust deployment guide
|
||||
|
||||
1. [Overview](hello-hybrid-cert-trust.md)
|
||||
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,10 +19,11 @@ ms.reviewer:
|
||||
# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
## Directory Synchronization
|
||||
|
||||
@ -55,6 +56,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
|
||||
<hr>
|
||||
|
||||
## Follow the Windows Hello for Business hybrid key trust deployment guide
|
||||
|
||||
1. [Overview](hello-hybrid-cert-trust.md)
|
||||
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
|
||||
|
||||
@ -8,8 +8,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,11 +19,11 @@ ms.reviewer:
|
||||
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
|
||||
|
||||
@ -344,6 +344,7 @@ Before you continue with the deployment, validate your deployment progress by re
|
||||
|
||||
|
||||
## Follow the Windows Hello for Business on premises certificate trust deployment guide
|
||||
|
||||
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
|
||||
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
|
||||
3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,10 +19,11 @@ ms.reviewer:
|
||||
# Configure Windows Hello for Business Policy settings - Key Trust
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
|
||||
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
|
||||
|
||||
@ -8,8 +8,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
author: dansimp
|
||||
audience: ITPro
|
||||
ms.author: dansimp
|
||||
manager: dansimp
|
||||
ms.author: GitPrakhar13
|
||||
manager: GitPrakhar13
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
localizationpriority: medium
|
||||
@ -19,10 +19,10 @@ ms.reviewer:
|
||||
# Validate Active Directory prerequisites - Key Trust
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
|
||||
Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -8,20 +8,21 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
- highpri
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 1/20/2021
|
||||
ms.date: 2/15/2022
|
||||
---
|
||||
|
||||
# Manage Windows Hello for Business in your organization
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -9,8 +9,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -21,8 +21,9 @@ ms.date: 08/19/2018
|
||||
# Prepare people to use Windows Hello
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
@ -19,8 +19,9 @@ ms.reviewer:
|
||||
# Windows Hello for Business Videos
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
## Overview of Windows Hello for Business and Features
|
||||
|
||||
|
||||
@ -8,8 +8,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
@ -23,8 +23,8 @@ ms.date: 10/23/2017
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
|
||||
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
|
||||
|
||||
@ -8,9 +8,9 @@ metadata:
|
||||
description: Learn how to manage and deploy Windows Hello for Business.
|
||||
ms.prod: m365-security
|
||||
ms.topic: landing-page
|
||||
author: mapalko
|
||||
author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.author: mapalko
|
||||
ms.author: GitPrakhar13
|
||||
ms.date: 01/22/2021
|
||||
ms.collection:
|
||||
- M365-identity-device-management
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
author: GitPrakhar13
|
||||
ms.author: GitPrakhar13
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
|
||||
Reference in New Issue
Block a user