mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-20 09:17:25 +00:00
Updates
This commit is contained in:
Mike Stephens
parent
69cd22faa6
commit
aa3dfaccb5
@ -26,7 +26,7 @@ Windows Hello for Business involves configuring distributed technologies that ma
|
||||
* [Active Directory Federation Services](#active-directory-federation-services)
|
||||
|
||||
|
||||
New installations are considerably more involved than existing implementations because you are building the entire infrastructure new. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If you're environment meets these needs, you can read the [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) section to learn about specific Windows Hello for Business configuration settings.
|
||||
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If you're environment meets these needs, you can read the [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) section to learn about specific Windows Hello for Business configuration settings.
|
||||
|
||||
|
||||
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers.
|
||||
@ -34,7 +34,7 @@ The new installation baseline begins with a basic Active Directory deployment an
|
||||
## Active Directory ##
|
||||
Production environments should follow Active Directory best practices regarding the number and placement of domain controllers to ensure adequate authentication throughout the organization.
|
||||
|
||||
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting of issue, such as Active Directory replication, which is unrelated to project goal.
|
||||
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
|
||||
|
||||
### Section Review
|
||||
|
||||
@ -47,7 +47,7 @@ Lab environments and isolated proof of concepts may want to limit the number of
|
||||
|
||||
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
|
||||
|
||||
This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
|
||||
This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
|
||||
|
||||
### Lab-based public key infrastructure
|
||||
|
||||
|
||||
@ -18,9 +18,9 @@ localizationpriority: high
|
||||
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
|
||||
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
|
||||
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
|
||||
|
||||
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. Specific pieces of the infrastructure include:
|
||||
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
|
||||
* [Directories](#directories)
|
||||
* [Public Key Infrastucture](#public-key-infastructure)
|
||||
* [Directory Synchronization](#directory-synchronization)
|
||||
@ -29,9 +29,9 @@ The distributed systems on which these technologies were built involved several
|
||||
* [Device Registration](#device-registration)
|
||||
|
||||
## Directories ##
|
||||
Hybrid Windows Hello for Business needs two directories—and on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2.
|
||||
Hybrid Windows Hello for Business needs two directories: an on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2.
|
||||
|
||||
A hybrid Windows Hello for Busines deployment needs Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, do not require Azure Active Directory premium subscription.
|
||||
A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, do not require Azure Active Directory premium subscription.
|
||||
|
||||
Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. However, it does requires the Windows Server 2016 Active Directory schema.
|
||||
|
||||
@ -50,7 +50,7 @@ Review these requirements and those from the Windows Hello for Business planning
|
||||
<br>
|
||||
|
||||
## Public Key Infrastructure ##
|
||||
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate.
|
||||
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
|
||||
|
||||
Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority.
|
||||
|
||||
@ -86,7 +86,7 @@ Federating your on-premises Active Directory with Azure Active Directory ensures
|
||||
<br>
|
||||
|
||||
## Multifactor Authentication ##
|
||||
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor and a second factor of authentication.
|
||||
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication.
|
||||
|
||||
Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS.
|
||||
|
||||
|
||||
@ -20,19 +20,19 @@ localizationpriority: high
|
||||
|
||||
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
|
||||
It is recommended that review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
|
||||
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
|
||||
|
||||
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
|
||||
|
||||
## New Deployment Baseline ##
|
||||
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations how are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves by deploying a lab environment.
|
||||
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations how are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
|
||||
|
||||
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
|
||||
|
||||
## Federated Baseline ##
|
||||
The federated baseline helps organizations who have completed their federation with Azure Active Directory and Office 365 introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed add Windows Hello for Business to an existing hybrid deployment.
|
||||
The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Windows Hello for Business to an existing hybrid deployment.
|
||||
|
||||
Regardless of the baseline you choose, you’re next step is to familiarize yourself with the Prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
|
||||
Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
|
||||
<br><br>
|
||||
|
||||
<hr>
|
||||
|
||||
@ -53,9 +53,12 @@ The remainder of the provisioning includes Windows Hello for Business requesting
|
||||
>[!NOTE]
|
||||
> Microsoft is actively investigating in ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time.
|
||||
|
||||
After a successfully key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.
|
||||
After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.
|
||||
|
||||
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
|
||||
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that provisioning is complete and they can immediately use their PIN to sign-in.
|
||||
|
||||
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center.
|
||||
|
||||
<allset.png>
|
||||
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ ms.author: mstephen
|
||||
|
||||
>[!div class="step-by-step"]
|
||||
[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md)
|
||||
[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md)
|
||||
[ Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
|
||||
|
||||
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ ms.author: mstephen
|
||||
- Windows 10
|
||||
|
||||
> [!div class="step-by-step"]
|
||||
[Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
|
||||
[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
|
||||
@ -34,7 +34,7 @@ The configuration for Windows Hello for Business is grouped in four categories.
|
||||
For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration
|
||||
|
||||
> [!div class="step-by-step"]
|
||||
[Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
|
||||
[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user