deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Major changes to the organizational flow

Browse Source 
Next Steps sytles
Step-by-step styles
Updated the TOC
This commit is contained in:
Mike Stephens
2017-09-04 14:39:03 -07:00
parent e62b650a96
commit c0fdd260fe
12 changed files with 165 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md
View File

@ -26,8 +26,7 @@ Windows Hello for Business involves configuring distributed technologies that ma
* [Active Directory Federation Services](#active-directory-federation-services)
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If you're environment meets these needs, you can read the [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) section to learn about specific Windows Hello for Business configuration settings.
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration.
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers.
@ -91,38 +90,7 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
> * Review the different ways to establish an Azure Active Directory tenant.
> * Create an Azure Active Directory Tenant.
> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary.
#### Multiple Domains ####
Federating multiple, top-level domains with Azure AD requires some additional configuration that is not required when federating with one top-level domain.
For example, federating the top-level contoso.com domain requires no additional configuration. However, if Contoso Corporation acquires Fabrikam Corporation and wants to federate under Contoso.com, then additional configurations are needed because these are two top-level domains for contoso.com.
To configure your environment for multiple domains, follow the [Multiple Domain Support for Federating with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-multiple-domains) procedures.
#### Device Registration ####
With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your resources from devices that meet your standards for security and compliance. For more details, see Introduction to device management in Azure Active Directory.
Use the [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) procedures to configure your environment to support device registration.
#### Device writeback ####
As previously mentioned, Windows Hello for Busines hybrid certificate- trust deployments that include domain joined computers use the device writeback feature to authenticate the device to the on-premises federation server.
Use the [Enabling device writeback](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-feature-device-writeback) section to configure device writeback functionality in your environment.
### Section Review
> [!div class="checklist"]
> * Federation Proxy Servers
> * Multiple top-level domains
> * Azure Device Registration
> * Device Writeback
## Multifactor Authentication Services ##
Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA
@ -159,8 +127,9 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
> * Understand the different User States and their effect on Azure Multifactor Authentication.
> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary.
### Next Steps ###
Follow the Windows Hello for Business hybrid certificate trust deployment guide. With your baseline configuration complete, your next step is to **Configure Windows Hello for Business** if your envirionment.
> [!div class="nextstepaction"]
> [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
<br><br>
<hr>
@ -169,5 +138,6 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. New Installation Baseline (*You are here*)
4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

20
windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -15,9 +15,6 @@ localizationpriority: high
**Applies to**
- Windows 10
> [!div class="step-by-step"]
[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
>[!IMPORTANT]
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
@ -502,4 +499,19 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
- Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- read/write access to the specified AD connector account name on the new object
- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- object of type msDS-DeviceRegistrationService in the above container
- object of type msDS-DeviceRegistrationService in the above container
[!div clas="nextstepaction"]
[Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
<br><br>
<hr>
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Azure Device Registration (*You are here*)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

23
windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -18,7 +18,7 @@ localizationpriority: high
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
@ -29,9 +29,9 @@ The distributed systems on which these technologies were built involved several
* [Device Registration](#device-registration)
## Directories ##
Hybrid Windows Hello for Business needs two directories: an on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2.
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2.
A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, do not require Azure Active Directory premium subscription.
A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription.
Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema.
@ -111,7 +111,17 @@ Hybrid certificate trust deployments need the device write back feature. Authen
<br>
### Next Steps ###
Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the New Installation Basline. Choose Configure Windows Hello for Business if your envirionment is already federated with Azure and/or Office 365
Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**.
If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**.
If your environment is already federated and supports Azure device registration, choose **Configure Windows Hello for Business settings**.
> [!div class="op_single_selector"]
> - [New Installation Baseline](hello-hybrid-cert-new-install.md)
> - [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
> - [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
<br><br>
<hr>
@ -120,5 +130,6 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
1. [Overview](hello-hybrid-cert-trust.md)
2. Prerequistes (*You are here*)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

6
windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md
View File

@ -30,9 +30,13 @@ The new deployment baseline helps organizations who are moving to Azure and Offi
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
## Federated Baseline ##
The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Windows Hello for Business to an existing hybrid deployment.
The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
Regardless of the baseline you choose, youre next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
> [!div class="nextstepaction"]
> [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
<br><br>
<hr>

15
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
View File

@ -49,7 +49,7 @@ The provisioning flow has all the information it needs to complete the Windows H
The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory.
> [!IMPORTANT]
> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has syncrhonized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use.
> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has synchronized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use.
> [!NOTE]
> Microsoft is actively investigating in ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time.
@ -60,6 +60,15 @@ The AD FS registration authority verifies the key used in the certificate reques
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current users certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center.
<allset.png>
<br><br>
<hr>
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md)
6. Sign-in and Provision(*You are here*)

14
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
View File

@ -17,7 +17,7 @@ ms.author: mstephen
>[!div class="step-by-step"]
[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md)
[ Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md)
[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md)
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
@ -62,15 +62,14 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
> [!div class="checklist"]
> * Identify the schema role domain controller
> * Update the Active Directory Schema to Windows Server 2016
> * Create the KeyCredential Admins Security group, (optional)
> * Create the KeyCredential Admins Security group (optional)
> * Create the Windows Hello for Business Users group
>[!div class="step-by-step"]
[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md)
[ Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md)
[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md)
<br>
<br><br>
<hr>
@ -78,5 +77,6 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Windows Hello for Business settings: Active Directory (*You are here*)
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: Active Directory (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

21
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -21,8 +21,8 @@ ms.author: mstephen
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
>[!div class="step-by-step"]
[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md)
[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings-policy.md)
[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)
The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
@ -68,7 +68,17 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
10. Click **OK** to return to **Active Directory Users and Computers**.
11. Change to server hosting the AD FS role and restart it.
<br>
### Section Review
> [!div class="checklist"]
> * Configure the registration authority
> * Update group memberships for the AD FS service account
>[!div class="step-by-step"]
[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)
<br><br>
<hr>
@ -76,6 +86,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Windows Hello for Business settings (*You are here*)
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: AD FS (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

19
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -15,6 +15,10 @@ ms.author: mstephen
**Applies to**
- Windows 10
>[!div class="step-by-step"]
[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
## Directory Syncrhonization
>[!IMPORTANT]
@ -46,3 +50,18 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
> [!div class="checklist"]
> * Configure Permissions for Key Synchronization
>[!div class="step-by-step"]
[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
<br><br>
<hr>
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: Active Directory (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

52
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -17,8 +17,8 @@ ms.author: mstephen
- Windows 10
> [!div class="step-by-step"]
[< Configure Windows Hello for Business: Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
[ Configure Windows Hello for Business: ADFS >](hello-hybrid-cert-whfb-settings-adfs.md)
[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md)
[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
>[!IMPORTANT]
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
@ -47,15 +47,15 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise<EFBFBD>s needs.
**Note**If you use different template names, you<EFBFBD>ll need to remember and substitute these names in different portions of the lab.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
**Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers<EFBFBD>the domain controller certificate template. Later releases provided a new certificate template<EFBFBD>the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).
@ -79,7 +79,7 @@ The certificate template is configured to supersede all the certificate template
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
Approximately 60 days prior to enrollment agent certificate<EFBFBD>s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
> [!IMPORTANT]
> Follow the procedures below based on the AD FS service account used in your environment.
@ -92,7 +92,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<EFBFBD>s needs.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
**Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
@ -111,14 +111,14 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<EFBFBD>s needs.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
10. Close the console.
#### Creating Windows Hello for Business authentication certiicate template
### Creating Windows Hello for Business authentication certiicate template
During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring.
@ -128,8 +128,8 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
2. Right-click **Certificate Templates** and click **Manage**.
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise<EFBFBD>s needs.
**Note:** If you use different template names, you<EFBFBD>ll need to remember and substitute these names in different portions of the deployment.
5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
**Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box.
@ -145,17 +145,16 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
1. Open an elevated command prompt.
2. Run `certutil <EFBFBD>dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
>[!NOTE]
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It<EFBFBD>s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
Publish Templates
### Publish Certificate Templates to a Certificate Authority
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
### Unpublish Superseded Certificate Templates
The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
@ -170,18 +169,22 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
> [!div class="step-by-step"]
[< Configure Windows Hello for Business: Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
[ Configure Windows Hello for Business: ADFS >](hello-hybrid-cert-whfb-settings-adfs.md)
### Section Review
> [!div class="checklist"]
> * Domain Controller certificate template
> * Configure superseded domain controller certificate templates
> * Enrollment Agent certifcate template
> * Windows Hello for Business Authentication certificate template
> * Mark the certifcate template as Windows Hello for Business sign-in template
> * Publish Certificate templates to certificate authorities
> * Unpublish superseded certificate templates
> [!div class="step-by-step"]
[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md)
[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
<br>
<br><br>
<hr>
@ -189,6 +192,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Windows Hello for Business settings: PKI (*You are here*)
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: PKI (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

45
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
View File

@ -15,6 +15,10 @@ ms.author: mstephen
**Applies to**
- Windows 10
> [!div class="step-by-step"]
[< Configure AD FS](hello-hybrid-cert-whfb-settings-adfs.md)
## Policy Configuration
>[!IMPORTANT]
@ -174,21 +178,26 @@ Starting with Windows 10, version 1703, the PIN complexity Group Policy settings
Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
### Section Review
- [x] Active Directory
- [x] Public Key Infrastructure
- [x] Azure Active Directory
- [x] Directory Synchronization
- [x] Active Directory Federation Services
- [x] Federation Services
- [x] Federation Proxy Servers
- [x] Multiple top-level domains
- [x] Azure Device Registration
- [x] Device Writeback
- [x] Multifactor Authentication
- [x] Windows Hello for Business
- [x]Active Directory
- [x] Directory Synchronization
- [x] Public Key Infrastructure
- [x] Federation Services
- [x] Group Policy
- [ ] Sign-in and Provision
> [!div class="checklist"]
> * Configure domain controllers for automatic certificate enrollment.
> * Create Windows Hello for Business Group Policy object.
> * Enable the Use Windows Hello for Business policy setting.
> * Enable the Use certificate for on-premises authentication policy setting.
> * Enable user automatic certificate enrollment.
> * Add users or groups to the Windows Hello for Business group
> [!div class="nextstepaction"]
[Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
<br><br>
<hr>
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business policy settings (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

7
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
View File

@ -36,7 +36,7 @@ For the most efficent deployment, configure these technologies in order beginnin
> [!div class="step-by-step"]
[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
<br>
<br><br>
<hr>
@ -44,5 +44,6 @@ For the most efficent deployment, configure these technologies in order beginnin
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Windows Hello for Business settings (*You are here*)
5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

8
windows/access-protection/hello-for-business/toc.md
View File

@ -1,4 +1,4 @@
# [Windows Hello for Business](hello-identity-verification.md)
# [Windows Hello for Business](hello-identity-verification.md)
## [Windows Hello for Business Overview](hello-overview.md)
## [How Windows Hello for Business works](hello-how-it-works.md)
@ -14,7 +14,11 @@
## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
### [Hybrid Domain Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
#### [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
#### [New Installation Baseline](hello-hybrid-cert-new-install.md)
#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)