From eb305abc4fb5839491be690429c9c729fc5329c9 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 6 Nov 2017 23:33:36 +0000 Subject: [PATCH 1/5] Merged PR 4338: Merge ms-whfb-staging to whfb-staging Corrections for Hybrid Cert trust deployment guide --- .../hello-for-business/hello-deployment-guide.md | 2 +- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-hybrid-cert-whfb-settings-policy.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index c202596cd4..35ca37be84 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -28,7 +28,7 @@ This deployment guide is to guide you through deploying Windows Hello for Busine This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: * A well-connected, working network * Internet access - * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning +* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning * Proper name resolution, both internal and external names * Active Directory and an adequate number of domain controllers per site to support authentication * Active Directory Certificate Services 2012 or later diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 7c56e7ded8..0aafbf488a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infastructure) +* [Public Key Infrastucture](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authetication](#multifactor-authentication) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index d7f825257f..6c59f37b66 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -133,7 +133,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. 14. Click on the **Apply** to save changes and close the console. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 342e42b0d0..5b1f2a3188 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. 4. In the navigation pane, expand **Policies** under **User Configuration**. 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. 8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 9. Select the **Update certificates that use certificate templates** check box. From c747cb2cbd24f202492274dc8eecb15fd65b9b1a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 17 Nov 2017 15:17:39 -0800 Subject: [PATCH 2/5] minor updates --- ...requirements-windows-defender-advanced-threat-protection.md | 2 +- ...cs-dashboard-windows-defender-advanced-threat-protection.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 283ce4a02b..e8200e9584 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -66,7 +66,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t > Endpoints that are running mobile versions of Windows are not supported. #### Internet connectivity -Internet connectivity on endpoints is required. +Internet connectivity on endpoints is required either directly or through proxy. The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md index 7eaf489912..f8b9b55c33 100644 --- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -29,6 +29,9 @@ ms.date: 10/17/2017 The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. +>[!IMPORTANT] +> This feature is available for machines on Windows 10, version 1703 or later. + The **Security analytics dashboard** displays a snapshot of: - Organizational security score - Security coverage From 5691d0bd08fb3b3c11fb4b17bc40f26dd3b6a7dd Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 17 Nov 2017 23:20:02 +0000 Subject: [PATCH 3/5] Merged PR 4582: Experience/AllowManualMDMUnenrollment in Policy CSP --- windows/client-management/mdm/policy-csp-experience.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 646d49acd0..df796d96ca 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -314,7 +314,7 @@ ms.date: 11/01/2017 -

Specifies whether to allow the user to delete the workplace account using the workplace control panel. +

Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect. > [!NOTE] > The MDM server can always remotely delete the account. From b6b450b02fbe7bd578d22c4cf6105ae6f895e3a6 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 17 Nov 2017 23:20:56 +0000 Subject: [PATCH 4/5] Merged PR 4581: Updated Policy CSP --- ...ew-in-windows-mdm-enrollment-management.md | 51 +++++- .../policy-configuration-service-provider.md | 15 ++ .../mdm/policy-csp-authentication.md | 9 +- .../mdm/policy-csp-cellular.md | 167 +++++++++++++++++- .../client-management/mdm/policy-csp-start.md | 38 ++++ 5 files changed, 267 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index b3c6da87b5..c74bbd6838 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1029,6 +1029,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s

  • Authentication/AllowFidoDeviceSignon
  • Browser/LockdownFavorites
  • Browser/ProvisionFavorites
    • +
  • Cellular/LetAppsAccessCellularData
    • +
  • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
    • +
  • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
    • +
  • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
  • CredentialProviders/DisableAutomaticReDeploymentCredentials
  • DeviceGuard/EnableVirtualizationBasedSecurity
  • DeviceGuard/RequirePlatformSecurityFeatures
    • @@ -1081,6 +1085,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Education/PrinterNames
  • Search/AllowCloudSearch
  • Security/ClearTPMIfNotReady
    • +
  • Start/HidePeopleBar
  • Storage/AllowDiskHealthModelUpdates
  • System/LimitEnhancedDiagnosticDataWindowsAnalytics
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
    • @@ -1377,6 +1382,44 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### November 2017 + + ++++ + + + + + + + + + + + +
    New or updated topicDescription
    [Policy CSP](policy-configuration-service-provider.md)

    Added the following policies for Windows 10, version 1709:

    +
      +
    • Authentication/AllowFidoDeviceSignon
      • +
    • Cellular/LetAppsAccessCellularData
      • +
    • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
      • +
    • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
      • +
    • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
      • +
    • Start/HidePeopleBar
      • +
    • Storage/EnhancedStorageDevices
      • +
    • Update/ManagePreviewBuilds
      • +
    • WirelessDisplay/AllowMdnsAdvertisement
      • +
    • WirelessDisplay/AllowMdnsDiscovery
      • +
    +

    Added missing policies from previous releases:

    +
      +
    • Connectivity/DisallowNetworkConnectivityActiveTest
      • +
    • Search/AllowWindowsIndexer
      • +
    +
    + ### October 2017 @@ -1402,14 +1445,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
  • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
    • -

    Added the following policies for Windows 10, version 1709:

    -
      -
    • Authentication/AllowFidoDeviceSignon
      • -
    • Storage/EnhancedStorageDevices
      • -
    • Update/ManagePreviewBuilds
      • -
    • WirelessDisplay/AllowMdnsAdvertisement
      • -
    • WirelessDisplay/AllowMdnsDiscovery
      • -
    diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7a0a83df92..4c4c7bab91 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -532,6 +532,18 @@ The following diagram shows the Policy configuration service provider in tree fo ### Cellular policies
    +
    + Cellular/LetAppsAccessCellularData +
    +
    + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
    Cellular/ShowAppCellularAccessUI
    @@ -2584,6 +2596,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Start/HideLock
    +
    + Start/HidePeopleBar +
    Start/HidePowerButton
    diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 14c360f83a..6a21929f0c 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/01/2017 +ms.date: 11/16/2017 --- # Policy CSP - Authentication @@ -204,16 +204,17 @@ ms.date: 11/01/2017 -

    Added in Windows 10, version 1709. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. +

    Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 +

    Value type is integer. + +

    Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.

    The following list shows the supported values: - 0 - Do not allow. The FIDO device credential provider disabled.  - 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows. -

    Value type is integer. -

    diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 250e605bc9..b070a9305e 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/01/2017 +ms.date: 11/16/2017 --- # Policy CSP - Cellular @@ -19,11 +19,166 @@ ms.date: 11/01/2017 ## Cellular policies
    +
    + Cellular/LetAppsAccessCellularData +
    +
    + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
    Cellular/ShowAppCellularAccessUI
    +
    + +**Cellular/LetAppsAccessCellularData** + + +
    [eUICCs CSP](euiccs-csp.md)
    + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data. + +You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. + +If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. + +If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it. + +If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it. + +If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. + +If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.” + +Suported values: + +- 0 - User is in control +- 1 - Force Allow +- 2 - Force Deny + + + +
    + +**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + + +
    + +**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + + +
    + +**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + +
    **Cellular/ShowAppCellularAccessUI** @@ -61,6 +216,16 @@ ms.date: 11/01/2017 +This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. + +If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. + +If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.” + +Supported values: + +- 0 - Hide +- 1 - Show > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 8ab24a2ad2..d3392ef73f 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -67,6 +67,9 @@ ms.date: 11/01/2017
    Start/HideLock
    +
    + Start/HidePeopleBar +
    Start/HidePowerButton
    @@ -901,6 +904,41 @@ ms.date: 11/01/2017 1. Enable policy. 2. Open Start, click on the user tile, and verify "Lock" is not available. + + +
    + +**Start/HidePeopleBar** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + + +

    Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. + +

    Value type is integer. +

    From 9dc799cdab92c2a9364a3bdee644b0aa27f82463 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 17 Nov 2017 23:24:26 +0000 Subject: [PATCH 5/5] Merged PR 4397: Merge ms-whfb-staging to whfb-staging Updates and then please push to master --- .../access-protection/hello-for-business/hello-features.md | 6 +++--- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 4 ++-- windows/access-protection/hello-for-business/toc.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/access-protection/hello-for-business/hello-features.md index 2e4ae4c446..af73b147d6 100644 --- a/windows/access-protection/hello-for-business/hello-features.md +++ b/windows/access-protection/hello-for-business/hello-features.md @@ -19,7 +19,7 @@ Consider these additional features you can use after your organization deploys W * [Conditional access](#conditional-access) * [Dynamic lock](#dynamic-lock) * [PIN reset](#PIN-reset) -* [Privileged workstation](#Priveleged-workstation) +* [Privileged credentials](#Priveleged-crednetials) * [Mulitfactor Unlock](#Multifactor-unlock) @@ -142,14 +142,14 @@ On-premises deployments provide users with the ability to reset forgotton PINs e >[!NOTE] > Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video. -## Privileged Workstation +## Privileged Credentials **Requirements** * Hybrid and On-premises Windows Hello for Business deployments * Domain Joined or Hybird Azure joined devices * Windows 10, version 1709 -The privileged workstation scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. +The privileged credentials scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 0bd7c0a3b1..552c519832 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -81,7 +81,7 @@ Organizations using older directory synchronization technology, such as DirSync
    ## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated envionments, key trust deployments work in environments that have deployed [Password Syncrhonization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated envirnonments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. ### Section Review ### > [!div class="checklist"] @@ -91,7 +91,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
    ## Multifactor Authentication ## -Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. +Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor, but needs a second factor of authentication. Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 5a8d5dd5c3..81267549c1 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -43,4 +43,4 @@ ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md) #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) -## [Windows Hello for Businesss Feature](hello-features.md) \ No newline at end of file +## [Windows Hello for Business Features](hello-features.md) \ No newline at end of file