deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix link customer issue 2789

Browse Source
This commit is contained in:
Jeanie Decker 2019-03-18 08:47:26 -07:00
parent 8a00ee239a
commit cb72afd052
1 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -15,7 +15,7 @@ localizationpriority: medium
ms.date: 08/19/2018 ms.date: 08/19/2018
--- ---
# Windows Hello for Business Provisioning # Windows Hello for Business Provisioning
<span id="windows-hello-for-business-provisioning" />
**Applies to:** **Applies to:**
- Windows 10 - Windows 10
@ -24,14 +24,14 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
- The Windows Hello for Business deployment type - The Windows Hello for Business deployment type
- If the environment is managed or federated - If the environment is managed or federated
[Azure AD joined provisioning in a Managed environment](#Azure-AD-joined-provisioning-in-a-Managed-environment)<br> [Azure AD joined provisioning in a Managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)<br>
[Azure AD joined provisioning in a Federated environment](#Azure-AD-joined-provisioning-in-a-Federated-environment)<br> [Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)<br>
[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment](#Hybrid-Azure-AD-joined-provisioning-in-a-Key-Trust-deployment-in-a-Managed-envrionment)<br> [Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-Certificate-Trust-deployment-in-a-Managed-environment)<br> [Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Managed-environment)<br> [Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Federated-environment)<br> [Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)<br>
[Domain joined provisioning in an On-premises Key Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Key-Trust-deployment)<br> [Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)<br>
[Domain joined provisioning in an On-premises Certificate Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Certificate-Trust-deployment)<br> [Domain joined provisioning in an On-premises Certificate Trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)<br>
@ -45,7 +45,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.| |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Azure AD joined provisioning in a Federated environment ## Azure AD joined provisioning in a Federated environment
![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png) ![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png)
@ -55,7 +55,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).| |B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.| |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment
![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png) ![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png)
@ -71,7 +71,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment ## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment
![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png) ![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png)
@ -89,7 +89,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory. > The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment
![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png) ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png)
@ -106,7 +106,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow. > Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Fedeerated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png) ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Fedeerated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png)
@ -122,7 +122,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> [!IMPORTANT] > [!IMPORTANT]
> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow. > Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Key Trust deployment ## Domain joined provisioning in an On-premises Key Trust deployment
![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png) ![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png)
@ -133,7 +133,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.| |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Certificate Trust deployment ## Domain joined provisioning in an On-premises Certificate Trust deployment
![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png) ![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png)
@ -147,4 +147,4 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.| |F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
|G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.| |G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.|
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)