From ad7c23fb423ad6dd25f8a3a9b3c5ebbad27df06c Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Tue, 12 Oct 2021 18:01:36 -0700 Subject: [PATCH] adding new message around WHFB cloud trust --- .../hello-for-business/hello-deployment-guide.md | 5 ++++- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++++ .../hello-for-business/hello-identity-verification.md | 5 ++++- .../identity-protection/hello-for-business/hello-overview.md | 3 +++ .../hello-for-business/hello-planning-guide.md | 3 +++ 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 80a1ca91b3..4e7d1f7942 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -50,7 +50,10 @@ Do not begin your deployment until the hosting servers and infrastructure (not r ## Deployment and trust models -Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. +Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. + +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 735e563fb8..a11d68959d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -25,6 +25,10 @@ summary: | sections: - name: Ignored questions: + - question: What is Windows Hello for Business cloud trust? + answer: | + Windows Hello for Business cloud trust is a new trust model that is planned to be introduced in early 2022. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 3660d85201..26a25c7342 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -22,7 +22,7 @@ ms.date: 1/22/2021 This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. -## Cloud Only Deployment +## Azure AD Cloud Only Deployment * Windows 10, version 1511 or later, or Windows 11 * Microsoft Azure Account @@ -35,6 +35,9 @@ This article lists the infrastructure requirements for the different deployment The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + | Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index cd38c11105..b191dbc916 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -97,6 +97,9 @@ Windows Hello for Business can use either keys (hardware or software) or certifi Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + ## Learn more [Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 617be85699..d0de57c65c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -95,6 +95,9 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.