diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index d3889bdc51..88d3458155 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -8041,12 +8041,12 @@ "redirect_document_id": false }, { - "source_path": "windows/security/identity-protection/hello-for-business/rdp-sign-in/hello-feature-remote-desktop.md", + "source_path": "windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/rdp-sign-in", "redirect_document_id": false }, { - "source_path": "windows/security/identity-protection/hello-for-business/rdp-sign-in/hello-deployment-rdp-certs.md", + "source_path": "windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/rdp-sign-in", "redirect_document_id": false } diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 4f52648ad3..6f42bde365 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -5,7 +5,7 @@ metadata: author: paolomatarazzo ms.author: paoloma ms.topic: faq - ms.date: 08/03/2023 + ms.date: 12/08/2023 title: Common questions about Windows Hello for Business summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business. @@ -242,7 +242,7 @@ sections: - attempting to access on-premises resources secured by Active Directory - question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. + Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose. - question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust? answer: | No, only the number necessary to handle the load from all cloud Kerberos trust devices. diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md index 39dcb88cd8..1262d447b9 100644 --- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md +++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md @@ -11,7 +11,7 @@ You can use Windows Hello for Business to sign in to a remote desktop session, u This article describes three certificate deployment approaches, where authentication certificates are deployed to the Windows Hello for Business container: -- Using an Active Directory Certificate Services enrollment policy +- Using an Active Directory Certificate Services (AD CS) enrollment policy - Using Microsoft Intune with SCEP or PKCS connectors - Using a third-party PKI @@ -39,7 +39,7 @@ Windows Hello for Business emulates a smart card for application compatibility, This process is applicable to scenarios where you deploy certificates using an on-premises Active Directory Certificate Services infrastrusture, which include: -- Using an Active Directory Certificate Services enrollment policy +- Using an AD CS enrollment policy - Using Microsoft Intune with SCEP or PKCS connectors You must first create a *certificate template*, and then deploy certificates based on that template to the Windows Hello for Business container. The following steps describe how to create a certificate template: @@ -59,7 +59,7 @@ You must first create a *certificate template*, and then deploy certificates bas | *Subject Name* |
**Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.| |*Request Handling*|
**Note:** If you deploy certificates via Intune with a PKCS profile, select the option **Allow private key to be exported**| |*Cryptography*|
**Note:** If you deploy certificates via Intune with a PKCS profile, use the **Microsoft Software Key Storage Provider**| - |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them| + |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
**Note:** If you deploy certificates via Intune, grant **Enroll** access to the service principal used for SCEP or PKCS.| 1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates 1. Close the Certificate Templates console @@ -104,7 +104,9 @@ The following steps are required when you deploy certificates using an on-premis 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list 1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service** -### Request a certificate +## Deploy certificates via AD CS enrollment policy + +Here are the steps to manually request a certificate using an Active Directory Certificate Services enrollment policy: 1. Sign in to a client that is Microsoft Entra hybrid joined, ensuring that the client has line of sight to a domain controller and the issuing CA 1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc` @@ -114,6 +116,8 @@ The following steps are required when you deploy certificates using an on-premis 1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll** 1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen +Alternatively, you can configure the certificate template + ## Deploy certificates via Intune This process is applicable to both *Microsoft Entra joined* and *Microsoft Entra hybrid joined* devices that are managed via Intune. @@ -188,12 +192,12 @@ The `Generate-CertificateRequest` commandlet generates an `.inf` file for a pre- After the certificate is obtained, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account. :::row::: - :::column span="2"::: + :::column span="1"::: 1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate is deployed 1. Attempt an RDP session to a target server 1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate :::column-end::: - :::column span="2"::: + :::column span="3"::: > [!VIDEO https://learn-video.azurefd.net/vod/player?id=b6e1038d-98b5-48dc-8afb-65523d12cfaf] :::column-end::: :::row-end::: diff --git a/windows/security/identity-protection/images/remote-credential-guard.gif b/windows/security/identity-protection/images/remote-credential-guard.gif deleted file mode 100644 index effe8a4bc2..0000000000 Binary files a/windows/security/identity-protection/images/remote-credential-guard.gif and /dev/null differ diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 1dd92a7bce..7eb103698c 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -2,7 +2,7 @@ title: Remote Credential Guard description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. ms.topic: how-to -ms.date: 12/04/2023 +ms.date: 12/08/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -191,7 +191,7 @@ Not documented. Once a client receives the policy, you can connect to the remote host using Remote Credential Guard by opening the Remote Desktop Client (`mstsc.exe`). The user is automatically authenticated to the remote host: -:::image type="content" source="images/remote-credential-guard.gif" alt-text="Animation showing a client connecting to a remote server using Remote Credential Guard with SSO."::: +[!VIDEO https://learn-video.azurefd.net/vod/player?id=39cc96a2-5193-48be-a4f3-d491571fd9a1] > [!NOTE] > The user must be authorized to connect to the remote server using the Remote Desktop protocol, for example by being a member of the Remote Desktop Users local group on the remote host.