From ac6a6fb7532422f810ccc0a0a5ad2d20f6772d9e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 15 Dec 2023 07:37:56 -0500 Subject: [PATCH] Cert trust deployment guides refresh --- .../hello-cert-trust-adfs.md | 5 ++- .../hello-cert-trust-policy-settings.md | 3 +- .../hello-cert-trust-validate-ad-prereq.md | 33 ---------------- .../hello-cert-trust-validate-deploy-mfa.md | 4 +- .../hello-cert-trust-validate-pki.md | 1 + .../hello-deployment-cert-trust.md | 33 ++++++++++++---- .../hello-hybrid-cert-trust-validate-pki.md | 2 +- .../hello-hybrid-cert-trust.md | 6 +-- .../hello-hybrid-cert-whfb-provision.md | 2 +- .../hello-hybrid-cert-whfb-settings-adfs.md | 3 +- .../includes/dc-certificate-deployment.md | 2 +- .../includes/dc-certificate-supersede.md | 3 +- .../includes/dc-certificate-template.md | 33 ++++++---------- .../includes/dc-certificate-validate.md | 2 +- .../enrollment-agent-certificate-template.md | 2 +- .../includes/hello-cloud.md | 2 +- .../includes/hello-deployment-cloud.md | 2 +- .../includes/hello-deployment-hybrid.md | 2 +- .../includes/hello-deployment-onpremises.md | 2 +- .../includes/hello-hybrid-cert-trust-aad.md | 2 +- .../includes/hello-hybrid-cert-trust.md | 2 +- .../includes/hello-hybrid-cloudkerb-trust.md | 2 +- .../includes/hello-hybrid-key-trust.md | 2 +- .../hello-hybrid-keycert-trust-aad.md | 2 +- .../includes/hello-intro.md | 2 +- .../includes/hello-join-aad.md | 2 +- .../includes/hello-join-domain.md | 2 +- .../includes/hello-join-hybrid.md | 2 +- .../includes/hello-on-premises-cert-trust.md | 2 +- .../includes/lab-based-pki-deploy.md | 2 +- .../unpublish-superseded-templates.md | 3 +- .../web-server-certificate-template.md | 39 +++++++------------ .../hello-for-business/toc.yml | 2 - 33 files changed, 84 insertions(+), 124 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index dbdfe3cab6..4a9f5f7e9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model. -ms.date: 09/07/2023 +ms.date: 12/15/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -29,6 +29,7 @@ Prepare the AD FS deployment by installing and **updating** two Windows Servers. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: + - **Subject Name**: the internal FQDN of the federation server - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) @@ -318,4 +319,4 @@ Each file in this folder represents a certificate in the service account's Perso For detailed information about the certificate, use `Certutil -q -v `. > [!div class="nextstepaction"] -> [Next: validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md) \ No newline at end of file +> [Next: validate and deploy multi-factor authentication (MFA) >](hello-cert-trust-validate-deploy-mfa.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 830d49e11a..7488f93b1a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -1,7 +1,7 @@ --- title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario -ms.date: 09/07/2023 +ms.date: 12/15/2023 ms.topic: tutorial --- # Configure Windows Hello for Business group policy settings - on-premises certificate Trust @@ -9,6 +9,7 @@ ms.topic: tutorial [!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] On-premises certificate-based deployments of Windows Hello for Business need three Group Policy settings: + - Enable Windows Hello for Business - Use certificate for on-premises authentication - Enable automatic enrollment of certificates diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md deleted file mode 100644 index 220079357a..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Validate Active Directory prerequisites in an on-premises certificate trust -description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model. -ms.date: 09/07/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial ---- -# Validate Active Directory prerequisites - on-premises certificate trust - -[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] - -The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema. - -## Create the Windows Hello for Business Users security group - -The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. - -Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials. - -1. Open **Active Directory Users and Computers** -1. Select **View > Advanced Features** -1. Expand the domain node from the navigation pane -1. Right-click the **Users** container. Select **New > Group** -1. Type *Windows Hello for Business Users* in the **Group Name** -1. Select **OK** - -> [!div class="nextstepaction"] -> [Next: validate and configure PKI >](hello-cert-trust-validate-pki.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 087d2813e3..9c22949b67 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -1,7 +1,7 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with certificate trust description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model. -ms.date: 09/07/2023 +ms.date: 12/15/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -28,4 +28,4 @@ For information about third-party authentication methods, see [Configure Additio Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). > [!div class="nextstepaction"] -> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) +> [Next: configure Windows Hello for Business Policy settings >](hello-cert-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index e98fede731..2b4e0e988c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -10,6 +10,7 @@ appliesto: - ✅ Windows Server 2016 ms.topic: tutorial --- + # Configure and validate the Public Key Infrastructure - on-premises certificate trust [!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 04edf25531..6e3a9ccc04 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business deployment guide for the on-premises certificate trust model description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model. -ms.date: 09/07/2023 +ms.date: 12/15/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -14,10 +14,29 @@ ms.topic: tutorial [!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] -Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment: +Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment. -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and configure a PKI](hello-cert-trust-validate-pki.md) -3. [Prepare and deploy AD FS](hello-cert-trust-adfs.md) -4. [Validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file +There are four steps to deploying Windows Hello for Business in an on-premises certificate trust model: + +1. [Validate and configure a PKI](hello-cert-trust-validate-pki.md) +1. [Prepare and deploy AD FS](hello-cert-trust-adfs.md) +1. [Validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md) +1. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) + +## Create the Windows Hello for Business Users security group + +While this is not a required step, it is recommended to create a security group to simplify the deployment. + +The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign certificate templates and group policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. + +Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials. + +1. Open **Active Directory Users and Computers** +1. Select **View > Advanced Features** +1. Expand the domain node from the navigation pane +1. Right-click the **Users** container. Select **New > Group** +1. Type *Windows Hello for Business Users* in the **Group Name** +1. Select **OK** + +> [!div class="nextstepaction"] +> [Next: validate and configure a PKI >](hello-cert-trust-validate-pki.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md index e3340a65c2..5c1373aff0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md @@ -1,7 +1,7 @@ --- title: Configure and validate the Public Key Infrastructure in an hybrid certificate trust model description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model. -ms.date: 01/03/2023 +ms.date: 12/15/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index 754b52a3a5..bd31955a65 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid certificate trust deployment description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 03/16/2023 +ms.date: 12/15/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -51,8 +51,6 @@ The hybrid-certificate trust deployment needs an *Microsoft Entra ID P1 or P2* s > [!IMPORTANT] > Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory. - - ### Federated authentication to Microsoft Entra ID Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\ @@ -91,8 +89,6 @@ The enterprise PKI and a certificate registration authority (CRA) are required t During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA. - - ### Multifactor authentication The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\ diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 0d5ed158f7..c9c9503992 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid certificate trust clients configuration and enrollment description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 01/03/2023 +ms.date: 12/15/2023 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 2a40af9e7f..03183dda2d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in a hybrid certificate trust model description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business hybrid certificate trust model. -ms.date: 01/03/2023 +ms.date: 12/15/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -10,6 +10,7 @@ appliesto: - ✅ Windows Server 2016 ms.topic: tutorial --- + # Configure Active Directory Federation Services - hybrid certificate trust [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust.md)] diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md index 6059c8bb03..07d8c9cc38 100644 --- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md @@ -1,5 +1,5 @@ --- -ms.date: 12/28/2022 +ms.date: 12/15/2023 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md index 20f8012d88..92853ac52e 100644 --- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md @@ -1,5 +1,5 @@ --- -ms.date: 12/28/2022 +ms.date: 12/15/2023 ms.topic: include --- @@ -30,4 +30,3 @@ However, the certificate template and the superseding of certificate templates i >To see all certificates in the NTAuth store, use the following command: > > `Certutil -viewstore -enterprise NTAuth` - diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md index 1fff52b89c..9c85020231 100644 --- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md @@ -1,5 +1,5 @@ --- -ms.date: 12/28/2022 +ms.date: 12/15/2023 ms.topic: include --- @@ -27,25 +27,14 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen 1. Open the **Certification Authority** management console 1. Right-click **Certificate Templates > Manage** 1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab - - Type *Domain Controller Authentication (Kerberos)* in Template display name - - Adjust the validity and renewal period to meet your enterprise's needs - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -1. On the **Subject Name** tab: - - Select the **Build from this Active Directory information** button if it isn't already selected - - Select **None** from the **Subject name format** list - - Select **DNS name** from the **Include this information in alternate subject** list - - Clear all other items -1. On the **Cryptography** tab: - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. Select **OK** -1. Close the console +1. Use the following table to configure the template: + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* | | + | *General* | | + | *Subject Name* | | + |*Cryptography*|