diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md index a684145a1d..6adbe43c94 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md @@ -1,5 +1,5 @@ --- -ms.date: 01/03/2024 +ms.date: 06/23/2024 ms.topic: include --- @@ -8,6 +8,8 @@ ms.topic: include Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: - certificates + > [!NOTE] + > When using this option, the certificates must be deployed to the users. For example, users can use their smart card or virtual smart card as a certificate authentication option. - non-Microsoft authentication providers for AD FS - custom authentication provider for AD FS diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 766ebc53d4..8ae0f88a26 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -76,6 +76,7 @@ For detailed information about the certificate, use `Certutil -q -v [!div class="checklist"] > Before you continue with the deployment, validate your deployment progress by reviewing the following items: > +> - Configure an enrollment agent certificate template > - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template > - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance > - Confirm you properly configured the Windows Hello for Business authentication certificate template diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md index 69b6ebb9fd..20ea17f9cc 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md @@ -7,7 +7,6 @@ ms.topic: tutorial # On-premises certificate trust deployment guide - [!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)] [!INCLUDE [requirements](includes/requirements.md)] @@ -83,7 +82,6 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen > - Configure domain controller and web server certificate templates > - Supersede existing domain controller certificates > - Unpublish superseded certificate templates -> - Configure an enrollment agent certificate template > - Publish the certificate templates to the CA > - Deploy certificates to the domain controllers > - Validate the domain controllers configuration