From d8c909fe8a50a70bcc2f988f39da5a30cefd54b6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 27 Dec 2023 11:24:15 -0500 Subject: [PATCH] Remove deprecated Windows Hello for Business cloud Kerberos trust configuration and enrollment guide --- .../deploy/hybrid-cert-trust-pki.md | 11 +----- .../deploy/hybrid-cert-trust.md | 13 +------ .../hybrid-cloud-kerberos-trust-enroll.md | 9 ----- .../deploy/hybrid-cloud-kerberos-trust.md | 4 +- .../deploy/hybrid-key-trust-pki.md | 39 ++----------------- .../deploy/hybrid-key-trust.md | 9 +---- .../certificate-template-dc-hybrid-notes.md | 13 +++++++ .../deploy/includes/requirements.md | 8 ++++ .../deploy/on-premises-cert-trust.md | 14 ++++--- .../deploy/on-premises-key-trust.md | 14 ++++--- 10 files changed, 49 insertions(+), 85 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc-hybrid-notes.md create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md index f2ec26a26f..f455a1b1ec 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md @@ -8,7 +8,7 @@ ms.topic: tutorial [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)] -Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. @@ -18,14 +18,7 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling [!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] -> [!NOTE] -> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices. - -> [!IMPORTANT] -> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to: -> -> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune -> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL +[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)] [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md index 8133e7a96d..4d0a170a65 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md @@ -9,21 +9,10 @@ ms.topic: tutorial [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)] -This deployment guide describes how to deploy Windows Hello for Business with a hybrid certificate trust model. - > [!IMPORTANT] > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). -## Prerequisites - -> [!div class="checklist"] -> The following prerequisites must be met for a hybrid certificate trust deployment: -> -> - Directories and directory synchronization -> - Federated authentication to Microsoft Entra ID -> - Device registration -> - Public Key Infrastructure -> - Multifactor authentication +[!INCLUDE [requirements](includes/requirements.md)] ### Directories and directory synchronization diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md deleted file mode 100644 index a6059aaf50..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment -description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 02/24/2023 -ms.topic: tutorial ---- -# Configure and provision Windows Hello for Business - cloud Kerberos trust - - diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index 7936b03495..4d64d41ae5 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -9,9 +9,11 @@ ms.topic: tutorial [!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)] +[!INCLUDE [requirements](includes/requirements.md)] + ## Deployment steps -Once the prerequisites are met, deploying Windows Hello for Business cloud Kerberos trust consists of the following steps: +Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: > [!div class="checklist"] > diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md index c1ed39fdbd..bfaae41503 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md @@ -11,46 +11,17 @@ ms.topic: tutorial Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. -Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`). +Key trust deployments don't need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`). -A Windows Server-based PKI or a third-party Enterprise certification authority can be used. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1]. +A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1]. -## Deploy an enterprise certification authority - -This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\ -If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session. - -### Lab-based PKI - -The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**. - -Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed. - ->[!NOTE] ->Never install a certification authority on a domain controller in a production environment. - -1. Open an elevated Windows PowerShell prompt -1. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools - ``` -1. Use the following command to configure the CA using a basic certification authority configuration - ```PowerShell - Install-AdcsCertificationAuthority - ``` +[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] ## Configure the enterprise PKI [!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] -> [!NOTE] -> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices. - -> [!IMPORTANT] -> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to: -> -> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune -> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL +[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)] [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] @@ -98,5 +69,3 @@ Before moving to the next section, ensure the following steps are complete: [SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller -[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11) -[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11) diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index 56e95c2266..508c6eee25 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -9,17 +9,10 @@ ms.topic: tutorial [!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)] -This deployment guide describes how to deploy Windows Hello for Business with a hybrid key trust model. - > [!IMPORTANT] > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). -## Prerequisites - -> [!div class="checklist"] ->The following prerequisites must be met for a hybrid key trust deployment: -> -> - Public Key Infrastructure +[!INCLUDE [requirements](includes/requirements.md)] ### Directories and directory synchronization diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc-hybrid-notes.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc-hybrid-notes.md new file mode 100644 index 0000000000..0666408272 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc-hybrid-notes.md @@ -0,0 +1,13 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +> [!NOTE] +> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices. + +> [!IMPORTANT] +> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to: +> +> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune +> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md new file mode 100644 index 0000000000..44228733ce --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md @@ -0,0 +1,8 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +## Requirements + +Before starting the deployment, review the requirements described in the [Plan a Windows Hello for Business Deployment](../index.md) article. diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md index c6ab2f4fa5..777eb1b535 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md @@ -7,15 +7,17 @@ ms.topic: tutorial # On-premises certificate trust deployment guide -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)] +[!INCLUDE [requirements](includes/requirements.md)] -This deployment guide provides the information to deploy Windows Hello for Business with an on-premises certificate trust model. +## Deployment steps -There are three steps to complete this deployment: +Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: -1. [Validate and configure a PKI](on-premises-cert-trust-pki.md) -1. [Prepare and deploy AD FS with MFA](on-premises-cert-trust-adfs.md) -1. [Configure and enroll in Windows Hello for Business](on-premises-cert-trust-enroll.md) +> [!div class="checklist"] +> +> - [Validate and configure a PKI](on-premises-cert-trust-pki.md) +> - [Prepare and deploy AD FS with MFA](on-premises-cert-trust-adfs.md) +> - [Configure and enroll in Windows Hello for Business](on-premises-cert-trust-enroll.md) ## Create the Windows Hello for Business Users security group diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md index 45a004ed3c..4cbaff8963 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md @@ -9,13 +9,17 @@ ms.topic: tutorial [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] -This deployment guide provides the information to deploy Windows Hello for Business with an on-premises key trust model. +[!INCLUDE [requirements](includes/requirements.md)] -There are three steps to complete this deployment: +## Deployment steps -1. [Validate and configure a PKI](on-premises-key-trust-pki.md) -1. [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md) -1. [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md) +Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: + +> [!div class="checklist"] +> +> - [Validate and configure a PKI](on-premises-key-trust-pki.md) +> - [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md) +> - [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md) ## Create the Windows Hello for Business Users security group