deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Remove deprecated Windows Hello for Business cloud Kerberos trust configuration and enrollment guide

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-12-27 11:24:15 -05:00
parent be56d61dfa
commit d8c909fe8a
10 changed files with 49 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
View File

@ -8,7 +8,7 @@ ms.topic: tutorial
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
@ -18,14 +18,7 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
> [!NOTE]
> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
> [!IMPORTANT]
> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
>
> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)]
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]

13
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
View File

@ -9,21 +9,10 @@ ms.topic: tutorial
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
This deployment guide describes how to deploy Windows Hello for Business with a hybrid certificate trust model.
> [!IMPORTANT]
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
## Prerequisites
> [!div class="checklist"]
> The following prerequisites must be met for a hybrid certificate trust deployment:
>
> - Directories and directory synchronization
> - Federated authentication to Microsoft Entra ID
> - Device registration
> - Public Key Infrastructure
> - Multifactor authentication
[!INCLUDE [requirements](includes/requirements.md)]
### Directories and directory synchronization

9
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
View File

@ -1,9 +0,0 @@
---
title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment
description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario.
ms.date: 02/24/2023
ms.topic: tutorial
---
# Configure and provision Windows Hello for Business - cloud Kerberos trust

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -9,9 +9,11 @@ ms.topic: tutorial
[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
[!INCLUDE [requirements](includes/requirements.md)]
## Deployment steps
Once the prerequisites are met, deploying Windows Hello for Business cloud Kerberos trust consists of the following steps:
Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
> [!div class="checklist"]
>

39
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
View File

@ -11,46 +11,17 @@ ms.topic: tutorial
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
Key trust deployments don't need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
A Windows Server-based PKI or a third-party Enterprise certification authority can be used. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
## Deploy an enterprise certification authority
This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\
If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session.
### Lab-based PKI
The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
>[!NOTE]
>Never install a certification authority on a domain controller in a production environment.
1. Open an elevated Windows PowerShell prompt
1. Use the following command to install the Active Directory Certificate Services role.
```PowerShell
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
```
1. Use the following command to configure the CA using a basic certification authority configuration
```PowerShell
Install-AdcsCertificationAuthority
```
[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
## Configure the enterprise PKI
[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
> [!NOTE]
> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
> [!IMPORTANT]
> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
>
> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)]
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
@ -98,5 +69,3 @@ Before moving to the next section, ensure the following steps are complete:
<!--links-->
[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)
[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)

9
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
View File

@ -9,17 +9,10 @@ ms.topic: tutorial
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
This deployment guide describes how to deploy Windows Hello for Business with a hybrid key trust model.
> [!IMPORTANT]
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
## Prerequisites
> [!div class="checklist"]
>The following prerequisites must be met for a hybrid key trust deployment:
>
> - Public Key Infrastructure
[!INCLUDE [requirements](includes/requirements.md)]
### Directories and directory synchronization

13
windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc-hybrid-notes.md Normal file
View File

@ -0,0 +1,13 @@
---
ms.date: 12/15/2023
ms.topic: include
---
> [!NOTE]
> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
> [!IMPORTANT]
> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
>
> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL

8
windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md Normal file
View File

@ -0,0 +1,8 @@
---
ms.date: 12/15/2023
ms.topic: include
---
## Requirements
Before starting the deployment, review the requirements described in the [Plan a Windows Hello for Business Deployment](../index.md) article.

14
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
View File

@ -7,15 +7,17 @@ ms.topic: tutorial
# On-premises certificate trust deployment guide
[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)]
[!INCLUDE [requirements](includes/requirements.md)]
This deployment guide provides the information to deploy Windows Hello for Business with an on-premises certificate trust model.
## Deployment steps
There are three steps to complete this deployment:
Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
1. [Validate and configure a PKI](on-premises-cert-trust-pki.md)
1. [Prepare and deploy AD FS with MFA](on-premises-cert-trust-adfs.md)
1. [Configure and enroll in Windows Hello for Business](on-premises-cert-trust-enroll.md)
> [!div class="checklist"]
>
> - [Validate and configure a PKI](on-premises-cert-trust-pki.md)
> - [Prepare and deploy AD FS with MFA](on-premises-cert-trust-adfs.md)
> - [Configure and enroll in Windows Hello for Business](on-premises-cert-trust-enroll.md)
## Create the Windows Hello for Business Users security group

14
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
View File

@ -9,13 +9,17 @@ ms.topic: tutorial
[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
This deployment guide provides the information to deploy Windows Hello for Business with an on-premises key trust model.
[!INCLUDE [requirements](includes/requirements.md)]
There are three steps to complete this deployment:
## Deployment steps
1. [Validate and configure a PKI](on-premises-key-trust-pki.md)
1. [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md)
1. [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md)
Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
> [!div class="checklist"]
>
> - [Validate and configure a PKI](on-premises-key-trust-pki.md)
> - [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md)
> - [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md)
## Create the Windows Hello for Business Users security group