deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-01-06 10:51:45 -05:00
parent e17ea59bcc
commit cc1df7fd1f
2 changed files with 26 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -2,25 +2,16 @@
metadata:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: windows-client
ms.technology: itpro-security
ms.sitesec: library
ms.pagetype: security, mobile
audience: ITPro
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- highpri
ms.topic: faq
localizationpriority: medium
ms.date: 11/11/2022
ms.date: 01/06/2023
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
title: Windows Hello for Business Frequently Asked Questions (FAQ)
title: Common questions about Windows Hello for Business
summary: |
sections:
@ -137,18 +128,6 @@ sections:
answer: |
Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
- name: Cloud Kerberos trust
questions:
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business *cloud Kerberos trust* is a **trust model** that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
- name: Features
questions:
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
@ -280,8 +259,25 @@ sections:
answer: |
Starting in Windows 10, version 1709, you can use multi-factor unlock to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
- name: Cloud Kerberos trust
questions:
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business *cloud Kerberos trust* is a **trust model** that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
- question: Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment?
answer: |
Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
- question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
- a user signs-in for the first time or unlocks with Windows Hello for Business after provisioning.
- attempting to access on-premises resources secured by Active Directory.
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard][WIN-2] or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
- question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
answer: |
No, only the number necessary to handle the load from all cloud Kerberos trust devices.

23
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -238,28 +238,7 @@ If you encounter issues or want to share feedback about Windows Hello for Busine
## Frequently Asked Questions
### Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
This feature doesn't work in a pure on-premises AD domain services environment.
### Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment?
Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
- a user signs-in for the first time or unlocks with Windows Hello for Business after provisioning.
- attempting to access on-premises resources secured by Active Directory.
### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard][WIN-2] or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
No, only the number necessary to handle the load from all cloud Kerberos trust devices.
For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions][hello-faq.yml#cloud-kerberos-trust].
---