deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update hello-hybrid-cloud-kerberos-trust-provision.md

Browse Source 
Lines 17-18, 36, 48-51, 61-74, 89-93, 131-136, 161-163, 175-177, 191-195: Add periods to the sentences.
Line 79: Add "This image shows the" to the alt-text
Lines 94-100: Reformat single col table as a list
Line 104: Reformat image with custom extension image Markdown to add border automatically.
Line 106: Add number to this step.
Line 116: cloud > Cloud
Line 150: Delete leading indent.
Line 159: This is the process after a user signs in,  that occurs to enroll in Windows Hello for Business: > After a user signs in, this is the process that occurs to enroll in Windows Hello for Business:
Line 198: sign in > sign-in (used as a noun in this sentence)
This commit is contained in:
Angela Fleischmann
2023-02-24 15:43:12 -07:00
committed by GitHub
parent a90fe063ba
commit eb36317bb6
1 changed files with 56 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
View File

@ -14,8 +14,8 @@ ms.topic: tutorial
Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
1. Set up Azure AD Kerberos
1. Configure a Windows Hello for Business policy and deploy it to the devices
1. Set up Azure AD Kerberos.
1. Configure a Windows Hello for Business policy and deploy it to the devices.
### Deploy Azure AD Kerberos
@ -33,7 +33,7 @@ For devices managed by Intune, you can use Intune policies to configure Windows
There are different ways to enable and configure Windows Hello for Business in Intune:
- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group
- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group.
- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
- [Settings catalog][MEM-7]
- [Security baselines][MEM-2]
@ -45,10 +45,10 @@ There are different ways to enable and configure Windows Hello for Business in I
To check the Windows Hello for Business policy applied at enrollment time:
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>.
1. Select **Devices** > **Windows** > **Windows Enrollment**.
1. Select **Windows Hello for Business**.
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured.
:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png":::
@ -58,25 +58,25 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip
To configure Windows Hello for Business using an account protection policy:
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Select **Endpoint security** > **Account protection**
1. Select **+ Create Policy**
1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**
1. Select **Create**
1. Specify a **Name** and, optionally, a **Description** > **Next**
1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available
- These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available
1. Select **Next**
1. Optionally, add **scope tags** and select **Next**
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>.
1. Select **Endpoint security** > **Account protection**.
1. Select **+ Create Policy**.
1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**.
1. Select **Create**.
1. Specify a **Name** and, optionally, a **Description** > **Next**.
1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
- These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available.
1. Select **Next**.
1. Optionally, add **scope tags** and select **Next**.
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**.
1. Review the policy configuration and select **Create**.
> [!TIP]
> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template.
:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="This image shows the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
Assign the policy to a security group that contains as members the devices or users that you want to configure.
@ -86,22 +86,24 @@ The cloud Kerberos trust policy can be configured using a custom template, and i
To configure the cloud Kerberos trust policy:
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**
1. For Profile Type, select **Templates** and select the **Custom** Template
1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust"
1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>.
1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
1. For Profile Type, select **Templates** and select the **Custom** Template.
1. Name the profile with a familiar name, for example, "Windows Hello for Business cloud Kerberos trust".
1. In Configuration Settings, add a new configuration with the following settings:
| Setting |
|--------|
| <ul><li>Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name</li><li>Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*</li><li>OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\<tenant ID>*`/Policies/UseCloudTrustForOnPremAuth`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li></ul>|
- Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
- Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
- OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\<tenant ID>*`/Policies/UseCloudTrustForOnPremAuth`**
- Data type: **Boolean**
- Value: **True**
> [!IMPORTANT]
> *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
[![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox)
:::image type="content" alt-text ="Intune custom-device configuration policy creation" source="./images/hello-cloud-trust-intune.png" lightbox="./images/hello-cloud-trust-intune-large.png":::
Assign the policy to a security group that contains as members the devices or users that you want to configure.
1. Assign the policy to a security group that contains as members the devices or users that you want to configure.
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
@ -111,7 +113,7 @@ The Enable Windows Hello for Business Group Policy setting is used by Windows to
You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
@ -126,12 +128,12 @@ You can also create a Group Policy Central Store and copy them their respective
You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory
1. Edit the Group Policy object from Step 1
1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**
1. Select **Use Windows Hello for Business** > **Enable** > **OK**
1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**
1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory.
1. Edit the Group Policy object from Step 1.
1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
1. Select **Use Windows Hello for Business** > **Enable** > **OK**.
1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**.
1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**.
---
@ -145,7 +147,7 @@ The Windows Hello for Business provisioning process begins immediately after a u
You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
![Cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png)
:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png":::
The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
@ -154,11 +156,11 @@ The cloud Kerberos trust prerequisite check detects whether the user has a parti
### PIN Setup
This is the process that occurs after a user signs in, to enroll in Windows Hello for Business:
After a user signs in, this is the process that occurs to enroll in Windows Hello for Business:
1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**.
1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device.
:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
@ -170,9 +172,9 @@ Once a user has set up a PIN with cloud Kerberos trust, it can be used **immedia
If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
@ -186,14 +188,14 @@ If you deployed Windows Hello for Business using the key trust model, and want t
If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
1. Disable the certificate trust policy
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
1. Sign out and sign back in
1. Provision Windows Hello for Business using a method of your choice
1. Disable the certificate trust policy.
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context.
1. Sign out and sign back in.
1. Provision Windows Hello for Business using a method of your choice.
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
> For hybrid Azure AD joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
## Frequently Asked Questions