Update Windows Hello for Business provisioning process

2025-05-12 13:27:23 +00:00 · 2024-01-09 16:16:27 -05:00 · 2024-01-09 16:16:27 -05:00 · d951cff515
commit d951cff515
parent 0a8327817b
4 changed files with 24 additions and 12 deletions
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
@ -9,4 +9,4 @@ After a user signs in, the Windows Hello for Business enrollment process begins:
 1. The user is prompted to use Windows Hello with the organization account. The user selects **OK**
 1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop.
+1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@ -105,15 +105,22 @@ The first step in the usage of Windows Hello is setting up a *container*. A Wind
 > [!NOTE]
 > There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders.

+:::row:::
+    :::column:::
    Windows Hello provisioning is triggered once device registration completes, and after the device receives a policy that enables Windows Hello. If all the prerequisites are met, a Cloud eXperience Host (CXH) window is launched to take the user through the Windows Hello provisioning flow.
+    :::column-end:::
+    :::column:::
+    :::image type="content" source="images/howitworks/cxh-provision.png" alt-text="Screenshot of the Cloud Experience Host prompting the user to provision Windows Hello." border="false":::
+    :::column-end:::
+:::row-end:::

 > [!NOTE]
 > The list of prerequisites varies depending on the deployment type, as described in the article [Plan a Windows Hello for Business deployment](deploy/index.md).

-:::image type="content" source="images/howitworks/cxh-provision.png" alt-text="Screenshot of the Cloud Experience Host prompting the user to provision Windows Hello." border="false":::
-
 Here are the steps involved with the provisioning phase:

+:::row:::
+    :::column:::
    1. In the CXH window, the user is prompted to authenticate to the IdP with MFA
    1. After successful MFA, the user must provide a bio gesture (if available), and a PIN
    1. After the PIN confirmation, the Windows Hello container is created
@ -122,6 +129,11 @@ Here are the steps involved with the provisioning phase:
    1. The public key is registered with the IdP, mapped to the user account
      1. The Device Registration Service writes the key to the user object in Microsoft Entra ID
      1. For on-premises scenarios, AD FS writes the key is written to Active Directory
+    :::column-end:::
+    :::column:::
+        > [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+    :::column-end:::
+:::row-end:::

 ### Key registration details

--- a/windows/security/identity-protection/hello-for-business/images/howitworks/cxh-provision.png
+++ b/windows/security/identity-protection/hello-for-business/images/howitworks/cxh-provision.png
--- a/windows/security/identity-protection/hello-for-business/images/provisioning-error.png
+++ b/windows/security/identity-protection/hello-for-business/images/provisioning-error.png