From d47f97b297100393ffa5d7ace9f65662c275bd74 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 24 Sep 2019 14:05:35 +0500 Subject: [PATCH 1/5] Note addition Now onwards as MFA will only work with Azure, I have added the note. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4872 --- .../hello-for-business/hello-planning-guide.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 2ff12340f3..14ea8250f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -81,7 +81,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. >[!NOTE] ->RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this tim +>RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this time. #### Device registration @@ -93,6 +93,9 @@ The built-in Windows Hello for Business provisioning experience creates a hardwa #### Multifactor authentication +> [!IMPORTANT] +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. + The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). From 4dd51dbde599c19cf9ee874dfc7ce751758830fd Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 24 Sep 2019 17:41:22 +0500 Subject: [PATCH 2/5] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 14ea8250f8..9e82ff0b4f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -81,7 +81,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. >[!NOTE] ->RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this time. +> RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this time. #### Device registration From 690c3b3b5b70ec05dab686d119b8f9615270c38d Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 24 Sep 2019 17:41:33 +0500 Subject: [PATCH 3/5] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 9e82ff0b4f..6754b12265 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -80,7 +80,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. ->[!NOTE] +> [!NOTE] > RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this time. #### Device registration From ad8311c9137f34db256eb7de2d2ef99842ede2ee Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 25 Sep 2019 21:51:33 +0500 Subject: [PATCH 4/5] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 6754b12265..ce5b9697d9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -94,7 +94,7 @@ The built-in Windows Hello for Business provisioning experience creates a hardwa #### Multifactor authentication > [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. From cfbe2b0d2a3b40db488321af0088e1b0c803b0d4 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 25 Sep 2019 21:51:53 +0500 Subject: [PATCH 5/5] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index ce5b9697d9..ce4b3fa6f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -81,7 +81,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] -> RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this time. +> RDP does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time. #### Device registration