From 97bd9e00e19877e434de2b9ac7a37f0c752b1c49 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 11:48:35 -0500
Subject: [PATCH 01/29] Updates
---
.../hello-deployment-rdp-certs.md | 112 ++++++++----------
.../hello-how-it-works-technology.md | 2 +-
.../hello-hybrid-cloud-kerberos-trust.md | 2 +-
.../hello-for-business/toc.yml | 76 ++++++------
4 files changed, 89 insertions(+), 103 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 85e91958b3..3c3763245b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,53 +1,57 @@
---
-title: Deploying Certificates to Key Trust Users to Enable RDP
-description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
+title: Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
+description: Learn how to deploy certificates to a cloud Kerberos trust and key trust user to enable remote desktop with supplied credentials
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
-ms.reviewer: prsriva
+ms.reviewer: erikdau
ms.collection:
- M365-identity-device-management
- ContentEngagementFY23
-ms.topic: article
+ms.topic: how-to
localizationpriority: medium
-ms.date: 02/22/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
- - ✅ Cloud Kerberos trust
+ms.date: 11/15/2022
+appliesto:
+ - ✅ Windows 10, version 21H2 and later
ms.technology: itpro-security
---
-# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP
+# Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
-This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user.
+
-Three approaches are documented here:
+---
-1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy.
+Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For *cloud Kerberos trust* and *certificate trust* deployments, the creation of this certificate occurs at container creation time.
-1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune.
+This document discusses three approaches for cloud Kerberos trust and key trust deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
-1. Working with non-Microsoft enterprise certificate authorities.
+- Deploy certificates to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
+- Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
+- Work with non-Microsoft enterprise certificate authorities
-## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
+## Deploy certificates to a hybrid joined devices using an on-premises Active Directory Certificate enrollment policy
+
+To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must:
+
+1. Create a suitable certificate template
+1. Deploy certificates to your users based on the template
### Create a Windows Hello for Business certificate template
-1. Sign in to your issuing certificate authority (CA).
+Follow these steps to create a certificate template:
-1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc).
-
-1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
-
-1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console.
-
-1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
+1. Sign in to your issuing certificate authority (CA)
+1. Open the **Certificate Authority** mmc snap-in console (%windir%\system32\certsrv.msc)
+1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list
+1. Right-click **Certificate Templates** and then select **Manage** to open the **Certificate Templates** console
+1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
@@ -55,63 +59,45 @@ Three approaches are documented here:
1. Clear the **Show resulting changes** check box
1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
-
1. On the **General** tab:
- 1. Specify a Template display name, such as **WHfB Certificate Authentication**
+ 1. Specify a Template display name, for example *WHfB Certificate Authentication*
1. Set the validity period to the desired value
- 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example).
-
-1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
-
+ 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example)
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
1. On the **Subject Name** tab:
1. Select the **Build from this Active Directory** information button if it is not already selected
1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
1. On the **Request Handling** tab:
1. Select the **Renew with same key** check box
- 1. Set the Purpose to **Signature and smartcard logon**
- 1. Click **Yes** when prompted to change the certificate purpose
- 1. Click **Prompt the user during enrollment**
-
+ 1. Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
+ 1. Select **Prompt the user during enrollment**
1. On the **Cryptography** tab:
1. Set the Provider Category to **Key Storage Provider**
1. Set the Algorithm name to **RSA**
1. Set the minimum key size to **2048**
1. Select **Requests must use one of the following providers**
- 1. Tick **Microsoft Software Key Storage Provider**
+ 1. Select **Microsoft Software Key Storage Provider**
1. Set the Request hash to **SHA256**
+1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them
+1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
+1. Close the Certificate Templates console
-1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
-
-1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
-
-1. Close the Certificate Templates console.
-
-1. Open an elevated command prompt and change to a temporary working directory.
-
-1. Execute the following command:
-
- `certutil -dstemplate \ \> \.txt`
-
- Replace \ with the Template name you took note of earlier in step 7.
-
+1. Open an elevated command prompt and change to a temporary working directory
+1. Execute the following command, replacing `\` with the Template name you took note of earlier in step 7c
+ `certutil -dstemplate \ \`
1. Open the text file created by the command above.
- 1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
- 1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
-
+ 1. Delete the last line of the output from the file that reads `CertUtil: -dsTemplate command completed successfully.`
+ 1. Modify the line that reads `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
1. Save the text file.
-
1. Update the certificate template by executing the following command:
-
- certutil -dsaddtemplate \.txt
-
-1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
+ `certutil -dsaddtemplate \.txt`
+1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
-1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
-
-1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
+1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list.
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
### Requesting a Certificate
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 719c27216d..f48952acdf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -194,7 +194,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
## Hybrid deployment
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
### Related to hybrid deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index d9cd8d2065..beaa22b78b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
-ms.reviewer: prsriva
+ms.reviewer: erikdau
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 2c22050ab0..55cadf5a94 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -2,12 +2,12 @@
href: index.yml
- name: Overview
items:
- - name: Windows Hello for Business Overview
+ - name: Windows Hello for Business overview
href: hello-overview.md
- name: Concepts
expanded: true
items:
- - name: Passwordless Strategy
+ - name: Passwordless strategy
href: passwordless-strategy.md
- name: Why a PIN is better than a password
href: hello-why-pin-is-better-than-password.md
@@ -15,7 +15,7 @@
href: hello-biometrics-in-enterprise.md
- name: How Windows Hello for Business works
href: hello-how-it-works.md
- - name: Technical Deep Dive
+ - name: Technical deep dive
items:
- name: Provisioning
href: hello-how-it-works-provisioning.md
@@ -25,91 +25,91 @@
href: webauthn-apis.md
- name: How-to Guides
items:
- - name: Windows Hello for Business Deployment Overview
+ - name: Windows Hello for Business deployment overview
href: hello-deployment-guide.md
- - name: Planning a Windows Hello for Business Deployment
+ - name: Planning a Windows Hello for Business deployment
href: hello-planning-guide.md
- - name: Deployment Prerequisite Overview
+ - name: Deployment prerequisite overview
href: hello-identity-verification.md
- name: Prepare people to use Windows Hello
href: hello-prepare-people-to-use.md
- - name: Deployment Guides
+ - name: Deployment guides
items:
- - name: Hybrid Cloud Kerberos Trust Deployment
+ - name: Hybrid cloud Kerberos trust deployment
href: hello-hybrid-cloud-kerberos-trust.md
- - name: Hybrid Azure AD Joined Key Trust
+ - name: Hybrid Azure AD Join key trust
items:
- - name: Hybrid Azure AD Joined Key Trust Deployment
+ - name: Hybrid Azure AD join key trust deployment
href: hello-hybrid-key-trust.md
- name: Prerequisites
href: hello-hybrid-key-trust-prereqs.md
- - name: New Installation Baseline
+ - name: New installation baseline
href: hello-hybrid-key-new-install.md
- - name: Configure Directory Synchronization
+ - name: Configure directory synchronization
href: hello-hybrid-key-trust-dirsync.md
- - name: Configure Azure Device Registration
+ - name: Configure Azure AD device registration
href: hello-hybrid-key-trust-devreg.md
- name: Configure Windows Hello for Business settings
href: hello-hybrid-key-whfb-settings.md
- - name: Sign-in and Provisioning
+ - name: Sign-in and provisioning
href: hello-hybrid-key-whfb-provision.md
- - name: Hybrid Azure AD Joined Certificate Trust
+ - name: Hybrid Azure AD join certificate trust
items:
- - name: Hybrid Azure AD Joined Certificate Trust Deployment
+ - name: Hybrid Azure AD join certificate trust deployment
href: hello-hybrid-cert-trust.md
- name: Prerequisites
href: hello-hybrid-cert-trust-prereqs.md
- - name: New Installation Baseline
+ - name: New installation baseline
href: hello-hybrid-cert-new-install.md
- - name: Configure Azure Device Registration
+ - name: Configure Azure AD device registration
href: hello-hybrid-cert-trust-devreg.md
- name: Configure Windows Hello for Business settings
href: hello-hybrid-cert-whfb-settings.md
- - name: Sign-in and Provisioning
+ - name: Sign-in and provisioning
href: hello-hybrid-cert-whfb-provision.md
- - name: On-premises SSO for Azure AD Joined Devices
+ - name: On-premises singe-sign-on (SSO) for Azure AD joined devices
items:
- - name: On-premises SSO for Azure AD Joined Devices Deployment
+ - name: On-premises SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
- - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+ - name: Configure Azure AD joined devices for on-premises SSO
href: hello-hybrid-aadj-sso-base.md
- - name: Using Certificates for AADJ On-premises Single-sign On
+ - name: Using certificates for on-premises SSO
href: hello-hybrid-aadj-sso-cert.md
- name: On-premises Key Trust
items:
- - name: On-premises Key Trust Deployment
+ - name: Key trust deployment
href: hello-deployment-key-trust.md
- - name: Validate Active Directory Prerequisites
+ - name: Validate Active Directory prerequisites
href: hello-key-trust-validate-ad-prereq.md
- - name: Validate and Configure Public Key Infrastructure
+ - name: Validate and configure Public Key Infrastructure (PKI)
href: hello-key-trust-validate-pki.md
- - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ - name: Prepare and deploy Active Directory Federation Services (AD FS)
href: hello-key-trust-adfs.md
- - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ - name: Validate and deploy multi-factor authentication (MFA) services
href: hello-key-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-key-trust-policy-settings.md
- - name: On-premises Certificate Trust
+ - name: On-premises certificate trust
items:
- - name: On-premises Certificate Trust Deployment
+ - name: Certificate trust deployment
href: hello-deployment-cert-trust.md
- - name: Validate Active Directory Prerequisites
+ - name: Validate Active Directory prerequisites
href: hello-cert-trust-validate-ad-prereq.md
- - name: Validate and Configure Public Key Infrastructure
+ - name: Validate and configure Public Key Infrastructure (PKI)
href: hello-cert-trust-validate-pki.md
- - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ - name: Prepare and Deploy Active Directory Federation Services (AD FS)
href: hello-cert-trust-adfs.md
- - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ - name: Validate and deploy multi-factor authentication (MFA) services
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- name: Azure AD join cloud only deployment
href: hello-aad-join-cloud-only-deploy.md
- - name: Managing Windows Hello for Business in your organization
+ - name: Manage Windows Hello for Business in your organization
href: hello-manage-in-organization.md
- - name: Deploying Certificates to Key Trust Users to Enable RDP
+ - name: Deploy certificates for remote desktop (RDP) connections
href: hello-deployment-rdp-certs.md
- - name: Windows Hello for Business Features
+ - name: Windows Hello for Business features
items:
- name: Conditional Access
href: hello-feature-conditional-access.md
@@ -135,7 +135,7 @@
href: hello-and-password-changes.md
- name: Reference
items:
- - name: Technology and Terminology
+ - name: Technology and terminology
href: hello-how-it-works-technology.md
- name: Frequently Asked Questions (FAQ)
href: hello-faq.yml
From ea8b66f522c7a4c0ef2ec7858e183af0b2ddc7b9 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 12:14:50 -0500
Subject: [PATCH 02/29] updates
---
.../hello-deployment-rdp-certs.md | 31 ++++++++++---------
.../hello-for-business/toc.yml | 18 +++++------
2 files changed, 25 insertions(+), 24 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 3c3763245b..7fd201a853 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -13,11 +13,11 @@ ms.topic: how-to
localizationpriority: medium
ms.date: 11/15/2022
appliesto:
- - ✅ Windows 10, version 21H2 and later
+ - ✅ Windows 10 and later
ms.technology: itpro-security
---
-# Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
+# Deploy certificates to cloud Kerberos trust and key trust users for RDP authentication
This document describes Windows Hello for Business functionalities or scenarios that apply to:\
✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
@@ -28,9 +28,7 @@ This document describes Windows Hello for Business functionalities or scenarios
---
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For *cloud Kerberos trust* and *certificate trust* deployments, the creation of this certificate occurs at container creation time.
-
-This document discusses three approaches for cloud Kerberos trust and key trust deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
+Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
- Deploy certificates to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
- Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
@@ -38,12 +36,13 @@ This document discusses three approaches for cloud Kerberos trust and key trust
## Deploy certificates to a hybrid joined devices using an on-premises Active Directory Certificate enrollment policy
-To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must:
+To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a certificate template and then deploy certificates based on the template.
-1. Create a suitable certificate template
-1. Deploy certificates to your users based on the template
+Expand the following sections to learn more about the process.
-### Create a Windows Hello for Business certificate template
+
+
+Create a Windows Hello for Business certificate template
Follow these steps to create a certificate template:
@@ -99,24 +98,26 @@ Follow these steps to create a certificate template:
1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list.
1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
-### Requesting a Certificate
+
+
+
+
+
+Request a Certificate
1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority.
-
1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc).
-
1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
1. On the Certificate Enrollment screen, click **Next**.
-
1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**.
-
1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**.
-
1. After a successful certificate request, click Finish on the Certificate Installation Results screen
+
+
## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 55cadf5a94..e0319abca3 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -35,6 +35,8 @@
href: hello-prepare-people-to-use.md
- name: Deployment guides
items:
+ - name: Cloud-only deployment
+ href: hello-aad-join-cloud-only-deploy.md
- name: Hybrid cloud Kerberos trust deployment
href: hello-hybrid-cloud-kerberos-trust.md
- name: Hybrid Azure AD Join key trust
@@ -75,7 +77,7 @@
href: hello-hybrid-aadj-sso-base.md
- name: Using certificates for on-premises SSO
href: hello-hybrid-aadj-sso-cert.md
- - name: On-premises Key Trust
+ - name: On-premises key trust
items:
- name: Key trust deployment
href: hello-deployment-key-trust.md
@@ -103,15 +105,13 @@
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- - name: Azure AD join cloud only deployment
- href: hello-aad-join-cloud-only-deploy.md
- - name: Manage Windows Hello for Business in your organization
- href: hello-manage-in-organization.md
- - name: Deploy certificates for remote desktop (RDP) connections
+ - name: Deploy certificates for remote desktop (RDP) authentication
href: hello-deployment-rdp-certs.md
+ - name: Manage Windows Hello for Business in your organization
+ href: hello-manage-in-organization.md
- name: Windows Hello for Business features
items:
- - name: Conditional Access
+ - name: Conditional access
href: hello-feature-conditional-access.md
- name: PIN Reset
href: hello-feature-pin-reset.md
@@ -125,9 +125,9 @@
href: hello-feature-remote-desktop.md
- name: Troubleshooting
items:
- - name: Known Deployment Issues
+ - name: Known deployment issues
href: hello-deployment-issues.md
- - name: Errors During PIN Creation
+ - name: Errors during PIN creation
href: hello-errors-during-pin-creation.md
- name: Event ID 300 - Windows Hello successfully created
href: hello-event-300.md
From a91e5025f641bcb04dac20f0172c84492c9b639e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 15:08:25 -0500
Subject: [PATCH 03/29] updates
---
.../hello-for-business/hello-deployment-rdp-certs.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 7fd201a853..11d9864886 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -100,11 +100,10 @@ Follow these steps to create a certificate template:
-
-
Request a Certificate
+
1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority.
1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc).
1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
From 4801714795cd4b4c3452f57da02fe5c1afd60026 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 15:29:32 -0500
Subject: [PATCH 04/29] updates
---
.../hello-deployment-rdp-certs.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 11d9864886..8e6cf54945 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -46,10 +46,10 @@ Expand the following sections to learn more about the process.
Follow these steps to create a certificate template:
-1. Sign in to your issuing certificate authority (CA)
-1. Open the **Certificate Authority** mmc snap-in console (%windir%\system32\certsrv.msc)
-1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list
-1. Right-click **Certificate Templates** and then select **Manage** to open the **Certificate Templates** console
+1. Sign in to your issuing certificate authority (CA) and open *Server Manager*
+1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens
+1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**
+1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane
1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
@@ -68,8 +68,8 @@ Follow these steps to create a certificate template:
1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
1. On the **Request Handling** tab:
- 1. Select the **Renew with same key** check box
1. Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
+ 1. Select the **Renew with same key** check box
1. Select **Prompt the user during enrollment**
1. On the **Cryptography** tab:
1. Set the Provider Category to **Key Storage Provider**
@@ -83,8 +83,8 @@ Follow these steps to create a certificate template:
1. Close the Certificate Templates console
1. Open an elevated command prompt and change to a temporary working directory
-1. Execute the following command, replacing `\` with the Template name you took note of earlier in step 7c
- `certutil -dstemplate \ \`
+1. Execute the following command, replacing `` with the Template name you took note of earlier in step 7c
+ `certutil -dstemplate > `
1. Open the text file created by the command above.
1. Delete the last line of the output from the file that reads `CertUtil: -dsTemplate command completed successfully.`
1. Modify the line that reads `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
From 14104f2d667837bab005af7614469575d41446b3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 17:14:08 -0500
Subject: [PATCH 05/29] updates
---
.../hello-deployment-rdp-certs.md | 23 ++++++++++++++-----
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 8e6cf54945..08eac3591e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,6 +1,6 @@
---
title: Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
-description: Learn how to deploy certificates to a cloud Kerberos trust and key trust user to enable remote desktop with supplied credentials
+description: Learn how to deploy certificates to a cloud Kerberos trust and key trust user to enable remote desktop with supplied credentials.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
@@ -84,13 +84,24 @@ Follow these steps to create a certificate template:
1. Open an elevated command prompt and change to a temporary working directory
1. Execute the following command, replacing `` with the Template name you took note of earlier in step 7c
- `certutil -dstemplate > `
+
+ ```cmd
+ certutil -dstemplate >
+ ```
+
1. Open the text file created by the command above.
- 1. Delete the last line of the output from the file that reads `CertUtil: -dsTemplate command completed successfully.`
- 1. Modify the line that reads `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
-1. Save the text file.
+ 1. Delete the last line of the output from the file that reads\
+ `CertUtil: -dsTemplate command completed successfully.`
+ 1. Modify the line that reads\
+ `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to\
+ `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
+1. Save the text file
1. Update the certificate template by executing the following command:
- `certutil -dsaddtemplate \.txt`
+
+ ```cmd
+ certutil -dsaddtemplate
+ ```
+
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
From 287324a7dc3f39d6c58253aed14a26edfafa79b0 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 17:38:07 -0500
Subject: [PATCH 06/29] updates
---
.../hello-deployment-rdp-certs.md | 90 ++++++++++---------
1 file changed, 48 insertions(+), 42 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 08eac3591e..89d1beeda3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -30,13 +30,15 @@ This document describes Windows Hello for Business functionalities or scenarios
Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
-- Deploy certificates to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
+- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
- Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
- Work with non-Microsoft enterprise certificate authorities
-## Deploy certificates to a hybrid joined devices using an on-premises Active Directory Certificate enrollment policy
+## Deploy certificates via Active Directory Certificate Services (AD CS)
-To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a certificate template and then deploy certificates based on the template.
+This scenario is applicable to hybrid Azure AD joined devices only.
+
+To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template* and then deploy certificates based on that template.
Expand the following sections to learn more about the process.
@@ -81,7 +83,6 @@ Follow these steps to create a certificate template:
1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them
1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
1. Close the Certificate Templates console
-
1. Open an elevated command prompt and change to a temporary working directory
1. Execute the following command, replacing `` with the Template name you took note of earlier in step 7c
@@ -113,52 +114,54 @@ Follow these steps to create a certificate template:
-Request a Certificate
+Request a certificate
-1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority.
-1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc).
-1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
+1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
+1. Open the **Certificates - Current User** Microsoft Management Console (MMC) - `%windir%\system32\certmgr.msc`
+1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**
-1. On the Certificate Enrollment screen, click **Next**.
-1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**.
-1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**.
-1. After a successful certificate request, click Finish on the Certificate Installation Results screen
+1. On the Certificate Enrollment screen, select **Next**
+1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next**
+1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**
+1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen
## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
-Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
+Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PFX via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](/mem/intune/protect/certificates-trusted-root).
-Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows:
+Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
-1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+
+Create a SCEP profile in Intune
-1. Navigate to Devices \> Configuration Profiles \> Create profile.
+Proceed as follows:
+1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Navigate to Devices \> Configuration Profiles \> Create profile
1. Enter the following properties:
- 1. For Platform, select **Windows 10 and later**.
- 1. For Profile, select **SCEP Certificate**.
- 1. Click **Create**.
-
+ 1. For Platform, select **Windows 10 and later**
+ 1. For Profile, select **SCEP Certificate**
+ 1. Click **Create**
1. In **Basics**, enter the following parameters:
- 1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company.
- 1. **Description**: Enter a description for the profile. This setting is optional, but recommended.
- 1. Select **Next**.
-
+ 1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company
+ 1. **Description**: Enter a description for the profile. This setting is optional, but recommended
+ 1. Select **Next**
1. In the **Configuration settings**, complete the following:
- 1. For Certificate Type, choose **User**.
- 1. For Subject name format, set it to **CN={{UserPrincipalName}}**.
- 1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**.
- 1. For Certificate validity period, set a value of your choosing.
- 1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**.
- 1. For Key usage, choose **Digital Signature**.
- 1. For Key size (bits), choose **2048**.
- 1. For Hash algorithm, choose **SHA-2**.
+ 1. For Certificate Type, choose **User**
+ 1. For Subject name format, set it to **CN={{UserPrincipalName}}**
+ 1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**
+ 1. For Certificate validity period, set a value of your choosing
+ 1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
+ 1. For Key usage, choose **Digital Signature**
+ 1. For Key size (bits), choose **2048**
+ 1. For Hash algorithm, choose **SHA-2**
1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate.
1. Under Extended key usage, add the following:
@@ -171,34 +174,37 @@ Once these requirements have been met, a new device configuration profile may be
1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure.
1. Click **Next**
1. In Assignments, target the devices or users who should receive a certificate and click **Next**
-
1. In Applicability Rules, provide additional issuance restrictions if required and click **Next**
-
1. In Review + create, click **Create**
+
+
+
+
+Request a certificate
Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
-
1. In the left pane of the MMC, expand **Personal** and select **Certificates**
-
1. In the right-hand pane of the MMC, check for the new certificate
> [!NOTE]
> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies.
+
+
## Using non-Microsoft Enterprise Certificate Authorities
-If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](/mem/intune/protect/certificate-authority-add-scep-overview).
+If you are using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](/mem/intune/protect/certificate-authority-add-scep-overview).
As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet.
-The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate.
+The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate.
## RDP Sign-in with Windows Hello for Business Certificate Authentication
-After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
+After adding the certificate using an approach from any of the previous sections, you can RDP to any Windows device or server in the same Forest as the user's Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
-1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid Azure Active Directory-Joined client where the authentication certificate has been deployed.
-1. Attempt an RDP session to a target server.
-1. Use the certificate credential protected by your Windows Hello for Business gesture.
+1. Open the Remote Desktop Client (`%windir%\system32\mstsc.exe`) on the client where the authentication certificate has been deployed
+1. Attempt an RDP session to a target server
+1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate
\ No newline at end of file
From 15e5f42549fff7b0aef3d142fea95d6b7961ecd3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 17:41:44 -0500
Subject: [PATCH 07/29] updates
---
.../hello-for-business/hello-deployment-rdp-certs.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 89d1beeda3..bc9258e92e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -36,7 +36,8 @@ Windows Hello for Business supports using a certificate as the supplied credenti
## Deploy certificates via Active Directory Certificate Services (AD CS)
-This scenario is applicable to hybrid Azure AD joined devices only.
+> [!NOTE]
+> This process is applicable to hybrid Azure AD joined devices only.
To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template* and then deploy certificates based on that template.
@@ -129,7 +130,10 @@ Follow these steps to create a certificate template:
-## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
+## Deploy certificates via Microsoft Intune
+
+> [!NOTE]
+> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PFX via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
From cc823ddab56a781c5d39b51475da347c64aa07e3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 18:21:38 -0500
Subject: [PATCH 08/29] updates
---
education/windows/edu-stickers.md | 4 ++++
.../security/identity-protection/hello-for-business/toc.yml | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index dc25c4e817..b87b1f8db9 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -41,6 +41,10 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{"id":"00-0000-0000-0000-000000000000","displayName":"Stickers","roleScopeTagIds":["0"],"@odata.type":"#microsoft.graph.windows10CustomConfiguration","omaSettings":[{"omaUri":"./Vendor/MSFT/Policy/Config/Stickers/EnableStickers","displayName":"EnableStickers","@odata.type":"#microsoft.graph.omaSettingInteger","value":1}]}
+```
+
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index e0319abca3..17b5735a4f 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -69,7 +69,7 @@
href: hello-hybrid-cert-whfb-settings.md
- name: Sign-in and provisioning
href: hello-hybrid-cert-whfb-provision.md
- - name: On-premises singe-sign-on (SSO) for Azure AD joined devices
+ - name: On-premises single-sign-on (SSO) for Azure AD joined devices
items:
- name: On-premises SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
From 21674db962c90d796b48ca30a2f9128a5258a58f Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 18:40:10 -0500
Subject: [PATCH 09/29] updates
---
education/windows/edu-stickers.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index b87b1f8db9..500bd36b8f 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -45,6 +45,12 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{"id":"00-0000-0000-0000-000000000000","displayName":"Stickers","roleScopeTagIds":["0"],"@odata.type":"#microsoft.graph.windows10CustomConfiguration","omaSettings":[{"omaUri":"./Vendor/MSFT/Policy/Config/Stickers/EnableStickers","displayName":"EnableStickers","@odata.type":"#microsoft.graph.omaSettingInteger","value":1}]}
```
+Try this policy in your tenant:
+
+```msgraph-interactive
+https://developer.microsoft.com/en-us/graph/graph-explorer?request=deviceManagement%2FdeviceConfigurations&method=POST&version=beta&GraphUrl=https://graph.microsoft.com&requestBody=eyJpZCI6IjAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImRpc3BsYXlOYW1lIjoiU3RpY2tlcnMiLCJyb2xlU2NvcGVUYWdJZHMiOlsiMCJdLCJAb2RhdGEudHlwZSI6IiNtaWNyb3NvZnQuZ3JhcGgud2luZG93czEwQ3VzdG9tQ29uZmlndXJhdGlvbiIsIm9tYVNldHRpbmdzIjpbeyJvbWFVcmkiOiIuL1ZlbmRvci9NU0ZUL1BvbGljeS9Db25maWcvU3RpY2tlcnMvRW5hYmxlU3RpY2tlcnMiLCJkaXNwbGF5TmFtZSI6IkVuYWJsZVN0aWNrZXJzIiwiQG9kYXRhLnR5cGUiOiIjbWljcm9zb2Z0LmdyYXBoLm9tYVNldHRpbmdJbnRlZ2VyIiwidmFsdWUiOjF9XX0=
+```
+
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
From ad1d79d377114e8509d24413875dabcf67f7936d Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 19:48:29 -0500
Subject: [PATCH 10/29] test
---
education/windows/edu-stickers.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index 500bd36b8f..ea06e4b2ba 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -51,6 +51,10 @@ Try this policy in your tenant:
https://developer.microsoft.com/en-us/graph/graph-explorer?request=deviceManagement%2FdeviceConfigurations&method=POST&version=beta&GraphUrl=https://graph.microsoft.com&requestBody=eyJpZCI6IjAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImRpc3BsYXlOYW1lIjoiU3RpY2tlcnMiLCJyb2xlU2NvcGVUYWdJZHMiOlsiMCJdLCJAb2RhdGEudHlwZSI6IiNtaWNyb3NvZnQuZ3JhcGgud2luZG93czEwQ3VzdG9tQ29uZmlndXJhdGlvbiIsIm9tYVNldHRpbmdzIjpbeyJvbWFVcmkiOiIuL1ZlbmRvci9NU0ZUL1BvbGljeS9Db25maWcvU3RpY2tlcnMvRW5hYmxlU3RpY2tlcnMiLCJkaXNwbGF5TmFtZSI6IkVuYWJsZVN0aWNrZXJzIiwiQG9kYXRhLnR5cGUiOiIjbWljcm9zb2Z0LmdyYXBoLm9tYVNldHRpbmdJbnRlZ2VyIiwidmFsdWUiOjF9XX0=
```
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/&requestBody={"id":"00-0000-0000-0000-000000000000","displayName":"Stickers","roleScopeTagIds":["0"],"@odata.type":"#microsoft.graph.windows10CustomConfiguration","omaSettings":[{"omaUri":"./Vendor/MSFT/Policy/Config/Stickers/EnableStickers","displayName":"EnableStickers","@odata.type":"#microsoft.graph.omaSettingInteger","value":1}]}
+```
+
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
From 8ea9bcb6ecda4c9a7d8af1e90ba19a45626be4dc Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 19:54:26 -0500
Subject: [PATCH 11/29] update
---
education/windows/edu-stickers.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index ea06e4b2ba..f89fe5b379 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -52,7 +52,7 @@ https://developer.microsoft.com/en-us/graph/graph-explorer?request=deviceManagem
```
```msgraph-interactive
-POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/&requestBody={"id":"00-0000-0000-0000-000000000000","displayName":"Stickers","roleScopeTagIds":["0"],"@odata.type":"#microsoft.graph.windows10CustomConfiguration","omaSettings":[{"omaUri":"./Vendor/MSFT/Policy/Config/Stickers/EnableStickers","displayName":"EnableStickers","@odata.type":"#microsoft.graph.omaSettingInteger","value":1}]}
+POST https://graph.microsoft.com?request=deviceManagement%2FdeviceConfigurations&method=POST&version=beta&GraphUrl=https://graph.microsoft.com&requestBody=eyJpZCI6IjAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImRpc3BsYXlOYW1lIjoiU3RpY2tlcnMiLCJyb2xlU2NvcGVUYWdJZHMiOlsiMCJdLCJAb2RhdGEudHlwZSI6IiNtaWNyb3NvZnQuZ3JhcGgud2luZG93czEwQ3VzdG9tQ29uZmlndXJhdGlvbiIsIm9tYVNldHRpbmdzIjpbeyJvbWFVcmkiOiIuL1ZlbmRvci9NU0ZUL1BvbGljeS9Db25maWcvU3RpY2tlcnMvRW5hYmxlU3RpY2tlcnMiLCJkaXNwbGF5TmFtZSI6IkVuYWJsZVN0aWNrZXJzIiwiQG9kYXRhLnR5cGUiOiIjbWljcm9zb2Z0LmdyYXBoLm9tYVNldHRpbmdJbnRlZ2VyIiwidmFsdWUiOjF9XX0=
```
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
From ddf1c60cfc0354b7f19008db58d977a2278f35c5 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 07:51:13 -0500
Subject: [PATCH 12/29] updates
---
.../hello-deployment-rdp-certs.md | 64 ++++++-------------
1 file changed, 20 insertions(+), 44 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index bc9258e92e..a493995334 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -28,16 +28,16 @@ This document describes Windows Hello for Business functionalities or scenarios
---
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
+Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
-- Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
-- Work with non-Microsoft enterprise certificate authorities
+- Deploy certificates to hybrid or Azure AD-joined devices using Intune
+- Work with third-party PKIs
## Deploy certificates via Active Directory Certificate Services (AD CS)
> [!NOTE]
-> This process is applicable to hybrid Azure AD joined devices only.
+> This process is applicable to *hybrid Azure AD joined* devices only.
To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template* and then deploy certificates based on that template.
@@ -54,34 +54,18 @@ Follow these steps to create a certificate template:
1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**
1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane
1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
+1. Use the following table to configure the template:
- 
+ | Tab Name | Configurations |
+ | --- | --- |
+ | *Compatibility* | - Clear the **Show resulting changes** check box
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
|
+ | *General* | - Specify a Template display name, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
|
+ | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
+ | *Subject Name* | - Select the **Build from this Active Directory** information button if it is not already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
|
+ |*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
|
+ |*Cryptography*|- Set the Provider Category to **Key Storage Provider**
- Set the Algorithm name to **RSA**
- Set the minimum key size to **2048**
- Select **Requests must use one of the following providers**
- Select **Microsoft Software Key Storage Provider**
- Set the Request hash to **SHA256**
|
+ |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
-1. On the **Compatibility** tab:
- 1. Clear the **Show resulting changes** check box
- 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
- 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
-1. On the **General** tab:
- 1. Specify a Template display name, for example *WHfB Certificate Authentication*
- 1. Set the validity period to the desired value
- 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example)
-1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
-1. On the **Subject Name** tab:
- 1. Select the **Build from this Active Directory** information button if it is not already selected
- 1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
- 1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
-1. On the **Request Handling** tab:
- 1. Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- 1. Select the **Renew with same key** check box
- 1. Select **Prompt the user during enrollment**
-1. On the **Cryptography** tab:
- 1. Set the Provider Category to **Key Storage Provider**
- 1. Set the Algorithm name to **RSA**
- 1. Set the minimum key size to **2048**
- 1. Select **Requests must use one of the following providers**
- 1. Select **Microsoft Software Key Storage Provider**
- 1. Set the Request hash to **SHA256**
-1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them
1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
1. Close the Certificate Templates console
1. Open an elevated command prompt and change to a temporary working directory
@@ -92,9 +76,9 @@ Follow these steps to create a certificate template:
```
1. Open the text file created by the command above.
- 1. Delete the last line of the output from the file that reads\
+ - Delete the last line of the output from the file that reads\
`CertUtil: -dsTemplate command completed successfully.`
- 1. Modify the line that reads\
+ - Modify the line that reads\
`pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to\
`pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
1. Save the text file
@@ -105,10 +89,7 @@ Follow these steps to create a certificate template:
```
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
-
- 
-
-1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list.
+1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list
1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
@@ -118,11 +99,8 @@ Follow these steps to create a certificate template:
Request a certificate
1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
-1. Open the **Certificates - Current User** Microsoft Management Console (MMC) - `%windir%\system32\certmgr.msc`
+1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**
-
- 
-
1. On the Certificate Enrollment screen, select **Next**
1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next**
1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**
@@ -188,13 +166,11 @@ Proceed as follows:
Request a certificate
Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
-1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
+1. Sign in to a client that is targeted by the Intune policy
+1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
1. In the left pane of the MMC, expand **Personal** and select **Certificates**
1. In the right-hand pane of the MMC, check for the new certificate
-> [!NOTE]
-> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies.
-
## Using non-Microsoft Enterprise Certificate Authorities
From 5d00c8deae0bbca9f2a4ed5a7d36ec94021bff79 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 07:55:38 -0500
Subject: [PATCH 13/29] updates
---
.../hello-for-business/hello-deployment-rdp-certs.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index a493995334..49c542d7ef 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -58,12 +58,12 @@ Follow these steps to create a certificate template:
| Tab Name | Configurations |
| --- | --- |
- | *Compatibility* | - Clear the **Show resulting changes** check box
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
|
- | *General* | - Specify a Template display name, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
|
+ | *Compatibility* | Clear the **Show resulting changes** check boxSelect **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*|
+ | *General* | Specify a Template display name, for example *WHfB Certificate Authentication*Set the validity period to the desired valueTake note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
- | *Subject Name* | - Select the **Build from this Active Directory** information button if it is not already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
|
- |*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
|
- |*Cryptography*|- Set the Provider Category to **Key Storage Provider**
- Set the Algorithm name to **RSA**
- Set the minimum key size to **2048**
- Select **Requests must use one of the following providers**
- Select **Microsoft Software Key Storage Provider**
- Set the Request hash to **SHA256**
|
+ | *Subject Name* | Select the **Build from this Active Directory** information button if it is not already selectedSelect **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selectedSelect the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**|
+ |*Request Handling*|Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purposeSelect the **Renew with same key** check boxSelect **Prompt the user during enrollment**|
+ |*Cryptography*|Set the Provider Category to **Key Storage Provider**Set the Algorithm name to **RSA**Set the minimum key size to **2048**Select **Requests must use one of the following providers**Select **Microsoft Software Key Storage Provider**Set the Request hash to **SHA256**|
|*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
From 8e98de2687458c9c1876d0f9ce51e1d1b238f5a5 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 07:58:51 -0500
Subject: [PATCH 14/29] updates
---
.../hello-for-business/hello-deployment-rdp-certs.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 49c542d7ef..09ab1f8687 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -59,7 +59,7 @@ Follow these steps to create a certificate template:
| Tab Name | Configurations |
| --- | --- |
| *Compatibility* | Clear the **Show resulting changes** check boxSelect **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*|
- | *General* | Specify a Template display name, for example *WHfB Certificate Authentication*Set the validity period to the desired valueTake note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)|
+ | *General* | Specify a **Template display name**, for example *WHfB Certificate Authentication*Set the validity period to the desired valueTake note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
| *Subject Name* | Select the **Build from this Active Directory** information button if it is not already selectedSelect **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selectedSelect the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**|
|*Request Handling*|Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purposeSelect the **Renew with same key** check boxSelect **Prompt the user during enrollment**|
@@ -69,10 +69,10 @@ Follow these steps to create a certificate template:
1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
1. Close the Certificate Templates console
1. Open an elevated command prompt and change to a temporary working directory
-1. Execute the following command, replacing `` with the Template name you took note of earlier in step 7c
+1. Execute the following command, replacing `` with the **Template display name** noted above
```cmd
- certutil -dstemplate >
+ certutil -dstemplate ** > **
```
1. Open the text file created by the command above.
From 442890f030b3d91203247aaee2e363ba529b054d Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 08:02:56 -0500
Subject: [PATCH 15/29] udpates
---
.../hello-for-business/hello-deployment-rdp-certs.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 09ab1f8687..afb40516e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -58,12 +58,12 @@ Follow these steps to create a certificate template:
| Tab Name | Configurations |
| --- | --- |
- | *Compatibility* | Clear the **Show resulting changes** check boxSelect **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*|
- | *General* | Specify a **Template display name**, for example *WHfB Certificate Authentication*Set the validity period to the desired valueTake note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)|
+ | *Compatibility* | - Clear the **Show resulting changes** check box
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
|
+ | *General* | - Specify a **Template display name**, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
- | *Subject Name* | Select the **Build from this Active Directory** information button if it is not already selectedSelect **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selectedSelect the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**|
- |*Request Handling*|Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purposeSelect the **Renew with same key** check boxSelect **Prompt the user during enrollment**|
- |*Cryptography*|Set the Provider Category to **Key Storage Provider**Set the Algorithm name to **RSA**Set the minimum key size to **2048**Select **Requests must use one of the following providers**Select **Microsoft Software Key Storage Provider**Set the Request hash to **SHA256**|
+ | *Subject Name* | - Select the **Build from this Active Directory** information button if it is not already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
|
+ |*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
|
+ |*Cryptography*|- Set the Provider Category to **Key Storage Provider**
- Set the Algorithm name to **RSA**
- Set the minimum key size to **2048**
- Select **Requests must use one of the following providers**
- Select **Microsoft Software Key Storage Provider**
- Set the Request hash to **SHA256**
|
|*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
@@ -72,7 +72,7 @@ Follow these steps to create a certificate template:
1. Execute the following command, replacing `` with the **Template display name** noted above
```cmd
- certutil -dstemplate ** > **
+ certutil -dstemplate >
```
1. Open the text file created by the command above.
From 743127563d26466492398a18c30dc7498adf8c7e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 09:02:43 -0500
Subject: [PATCH 16/29] updates
---
.../hello-deployment-rdp-certs.md | 4 +--
.../hello-for-business/toc.yml | 30 +++++++++----------
2 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index afb40516e5..39f0b9693b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -164,9 +164,9 @@ Proceed as follows:
Request a certificate
-Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
+Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
-1. Sign in to a client that is targeted by the Intune policy
+1. Sign in to a client targeted by the Intune policy
1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
1. In the left pane of the MMC, expand **Personal** and select **Certificates**
1. In the right-hand pane of the MMC, check for the new certificate
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 17b5735a4f..da68032fe4 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -35,13 +35,21 @@
href: hello-prepare-people-to-use.md
- name: Deployment guides
items:
- - name: Cloud-only deployment
- href: hello-aad-join-cloud-only-deploy.md
- name: Hybrid cloud Kerberos trust deployment
href: hello-hybrid-cloud-kerberos-trust.md
- - name: Hybrid Azure AD Join key trust
+ - name: Azure AD join
items:
- - name: Hybrid Azure AD join key trust deployment
+ - name: Cloud-only deployment
+ href: hello-aad-join-cloud-only-deploy.md
+ - name: On-premises SSO for Azure AD joined devices
+ href: hello-hybrid-aadj-sso.md
+ - name: Configure Azure AD joined devices for on-premises SSO
+ href: hello-hybrid-aadj-sso-base.md
+ - name: Using certificates for on-premises SSO
+ href: hello-hybrid-aadj-sso-cert.md
+ - name: Hybrid Azure AD join key trust
+ items:
+ - name: Hybrid Azure AD join with key trust
href: hello-hybrid-key-trust.md
- name: Prerequisites
href: hello-hybrid-key-trust-prereqs.md
@@ -55,7 +63,7 @@
href: hello-hybrid-key-whfb-settings.md
- name: Sign-in and provisioning
href: hello-hybrid-key-whfb-provision.md
- - name: Hybrid Azure AD join certificate trust
+ - name: Hybrid Azure AD join with certificate trust
items:
- name: Hybrid Azure AD join certificate trust deployment
href: hello-hybrid-cert-trust.md
@@ -69,15 +77,7 @@
href: hello-hybrid-cert-whfb-settings.md
- name: Sign-in and provisioning
href: hello-hybrid-cert-whfb-provision.md
- - name: On-premises single-sign-on (SSO) for Azure AD joined devices
- items:
- - name: On-premises SSO for Azure AD joined devices
- href: hello-hybrid-aadj-sso.md
- - name: Configure Azure AD joined devices for on-premises SSO
- href: hello-hybrid-aadj-sso-base.md
- - name: Using certificates for on-premises SSO
- href: hello-hybrid-aadj-sso-cert.md
- - name: On-premises key trust
+ - name: Active Directory domain join with key trust
items:
- name: Key trust deployment
href: hello-deployment-key-trust.md
@@ -91,7 +91,7 @@
href: hello-key-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-key-trust-policy-settings.md
- - name: On-premises certificate trust
+ - name: Active Directory domain join with certificate trust deployment
items:
- name: Certificate trust deployment
href: hello-deployment-cert-trust.md
From 4f11993d14840c79ea9e35de58229b5989a5f3f4 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 09:28:15 -0500
Subject: [PATCH 17/29] updates
---
.../security/identity-protection/hello-for-business/toc.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index da68032fe4..482b89a541 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -47,9 +47,9 @@
href: hello-hybrid-aadj-sso-base.md
- name: Using certificates for on-premises SSO
href: hello-hybrid-aadj-sso-cert.md
- - name: Hybrid Azure AD join key trust
+ - name: Hybrid Azure AD join with key trust
items:
- - name: Hybrid Azure AD join with key trust
+ - name: Key trust deployment
href: hello-hybrid-key-trust.md
- name: Prerequisites
href: hello-hybrid-key-trust-prereqs.md
@@ -65,7 +65,7 @@
href: hello-hybrid-key-whfb-provision.md
- name: Hybrid Azure AD join with certificate trust
items:
- - name: Hybrid Azure AD join certificate trust deployment
+ - name: Certificate trust deployment
href: hello-hybrid-cert-trust.md
- name: Prerequisites
href: hello-hybrid-cert-trust-prereqs.md
From 1a72b252834bfba00ede850bb0deecfee9264662 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 10:36:07 -0500
Subject: [PATCH 18/29] updates
---
.../hello-deployment-rdp-certs.md | 78 +++++++++++--------
.../hello-for-business/toc.yml | 4 +-
2 files changed, 46 insertions(+), 36 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 39f0b9693b..f2dbd48777 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,6 +1,6 @@
---
-title: Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
-description: Learn how to deploy certificates to a cloud Kerberos trust and key trust user to enable remote desktop with supplied credentials.
+title: Deploy certificates for remote desktop sign-in
+description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
@@ -17,7 +17,7 @@ appliesto:
ms.technology: itpro-security
---
-# Deploy certificates to cloud Kerberos trust and key trust users for RDP authentication
+# Deploy certificates for remote desktop (RDP) sign-in
This document describes Windows Hello for Business functionalities or scenarios that apply to:\
✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
@@ -113,38 +113,36 @@ Follow these steps to create a certificate template:
> [!NOTE]
> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
-Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PFX via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
+Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
-Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](/mem/intune/protect/certificates-trusted-root).
+- [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1]
+- [Configure and use PKCS certificates with Intune][MEM-2]
+
+Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
-Create a SCEP profile in Intune
+Create a policy in Intune
-Proceed as follows:
+This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
-1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. Navigate to Devices \> Configuration Profiles \> Create profile
-1. Enter the following properties:
- 1. For Platform, select **Windows 10 and later**
- 1. For Profile, select **SCEP Certificate**
- 1. Click **Create**
-1. In **Basics**, enter the following parameters:
- 1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company
- 1. **Description**: Enter a description for the profile. This setting is optional, but recommended
- 1. Select **Next**
-1. In the **Configuration settings**, complete the following:
- 1. For Certificate Type, choose **User**
+1. Go to the Microsoft Endpoint Manager admin center
+1. Select **Devices > Configuration profiles > Create profile**
+1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
+1. Select **Create**
+1. Provide a **Name** and, optionally, a **Description > Next**
+1. In the *Configuration settings* blade, complete the following:
+ 1. For Certificate Type, select **User**
1. For Subject name format, set it to **CN={{UserPrincipalName}}**
1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**
1. For Certificate validity period, set a value of your choosing
- 1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
- 1. For Key usage, choose **Digital Signature**
- 1. For Key size (bits), choose **2048**
- 1. For Hash algorithm, choose **SHA-2**
- 1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate.
+ 1. For Key storage provider (KSP), select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
+ 1. For Key usage, select **Digital Signature**
+ 1. For Key size (bits), select **2048**
+ 1. For Hash algorithm, select **SHA-2**
+ 1. Under Root Certificate, select **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate
1. Under Extended key usage, add the following:
| Name | Object Identifier | Predefined Values |
@@ -152,12 +150,15 @@ Proceed as follows:
| Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
| Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication |
- 1. For Renewal threshold (%), set a value of your choosing.
- 1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure.
- 1. Click **Next**
-1. In Assignments, target the devices or users who should receive a certificate and click **Next**
-1. In Applicability Rules, provide additional issuance restrictions if required and click **Next**
-1. In Review + create, click **Create**
+ 1. For Renewal threshold (%), set a value of your choosing
+ 1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure
+ 1. Select **Next**
+1. In the *Assignments*, target the devices or users who should receive a certificate and select **Next**
+1. In the *Applicability Rules* blade, provide additional issuance restrictions if needed and select **Next**
+1. In the *Review + create* blade, select **Create**
+
+For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
+To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
@@ -175,9 +176,9 @@ Once the Intune policy is created, targeted clients will request a certificate d
## Using non-Microsoft Enterprise Certificate Authorities
-If you are using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](/mem/intune/protect/certificate-authority-add-scep-overview).
+If you are using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
-As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet.
+As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.
The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate.
@@ -185,6 +186,15 @@ The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a
After adding the certificate using an approach from any of the previous sections, you can RDP to any Windows device or server in the same Forest as the user's Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
-1. Open the Remote Desktop Client (`%windir%\system32\mstsc.exe`) on the client where the authentication certificate has been deployed
+1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed
1. Attempt an RDP session to a target server
-1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate
\ No newline at end of file
+1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate
+
+[MEM-1]: /mem/intune/protect/certificates-scep-configure
+[MEM-2]: /mem/intune/protect/certificates-pfx-configure
+[MEM-3]: /mem/intune/protect/certificates-profile-scep
+[MEM-4]: /mem/intune/protect/certificates-pfx-configure
+[MEM-5]: /mem/intune/protect/certificates-trusted-root
+[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
+
+[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 482b89a541..ce82c50488 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -105,7 +105,7 @@
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- - name: Deploy certificates for remote desktop (RDP) authentication
+ - name: Deploy certificates for remote desktop (RDP) sign-in
href: hello-deployment-rdp-certs.md
- name: Manage Windows Hello for Business in your organization
href: hello-manage-in-organization.md
@@ -121,7 +121,7 @@
href: hello-feature-dynamic-lock.md
- name: Multi-factor Unlock
href: feature-multifactor-unlock.md
- - name: Remote Desktop
+ - name: Remote desktop (RDP) sign-in
href: hello-feature-remote-desktop.md
- name: Troubleshooting
items:
From d07c978334c5d2b3b29a34cb53443bcba1187714 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 10:36:42 -0500
Subject: [PATCH 19/29] updates
---
education/windows/edu-stickers.md | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index f89fe5b379..dc25c4e817 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -41,20 +41,6 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
-```msgraph-interactive
-POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{"id":"00-0000-0000-0000-000000000000","displayName":"Stickers","roleScopeTagIds":["0"],"@odata.type":"#microsoft.graph.windows10CustomConfiguration","omaSettings":[{"omaUri":"./Vendor/MSFT/Policy/Config/Stickers/EnableStickers","displayName":"EnableStickers","@odata.type":"#microsoft.graph.omaSettingInteger","value":1}]}
-```
-
-Try this policy in your tenant:
-
-```msgraph-interactive
-https://developer.microsoft.com/en-us/graph/graph-explorer?request=deviceManagement%2FdeviceConfigurations&method=POST&version=beta&GraphUrl=https://graph.microsoft.com&requestBody=eyJpZCI6IjAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImRpc3BsYXlOYW1lIjoiU3RpY2tlcnMiLCJyb2xlU2NvcGVUYWdJZHMiOlsiMCJdLCJAb2RhdGEudHlwZSI6IiNtaWNyb3NvZnQuZ3JhcGgud2luZG93czEwQ3VzdG9tQ29uZmlndXJhdGlvbiIsIm9tYVNldHRpbmdzIjpbeyJvbWFVcmkiOiIuL1ZlbmRvci9NU0ZUL1BvbGljeS9Db25maWcvU3RpY2tlcnMvRW5hYmxlU3RpY2tlcnMiLCJkaXNwbGF5TmFtZSI6IkVuYWJsZVN0aWNrZXJzIiwiQG9kYXRhLnR5cGUiOiIjbWljcm9zb2Z0LmdyYXBoLm9tYVNldHRpbmdJbnRlZ2VyIiwidmFsdWUiOjF9XX0=
-```
-
-```msgraph-interactive
-POST https://graph.microsoft.com?request=deviceManagement%2FdeviceConfigurations&method=POST&version=beta&GraphUrl=https://graph.microsoft.com&requestBody=eyJpZCI6IjAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImRpc3BsYXlOYW1lIjoiU3RpY2tlcnMiLCJyb2xlU2NvcGVUYWdJZHMiOlsiMCJdLCJAb2RhdGEudHlwZSI6IiNtaWNyb3NvZnQuZ3JhcGgud2luZG93czEwQ3VzdG9tQ29uZmlndXJhdGlvbiIsIm9tYVNldHRpbmdzIjpbeyJvbWFVcmkiOiIuL1ZlbmRvci9NU0ZUL1BvbGljeS9Db25maWcvU3RpY2tlcnMvRW5hYmxlU3RpY2tlcnMiLCJkaXNwbGF5TmFtZSI6IkVuYWJsZVN0aWNrZXJzIiwiQG9kYXRhLnR5cGUiOiIjbWljcm9zb2Z0LmdyYXBoLm9tYVNldHRpbmdJbnRlZ2VyIiwidmFsdWUiOjF9XX0=
-```
-
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
From 4decd09d99b31703a05cf879a8d4b5790f83e698 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 11:14:29 -0500
Subject: [PATCH 20/29] updates
---
.../hello-deployment-rdp-certs.md | 44 +++++++++----------
1 file changed, 20 insertions(+), 24 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index f2dbd48777..a4c916396b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -132,30 +132,26 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
1. Select **Devices > Configuration profiles > Create profile**
1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
1. Select **Create**
-1. Provide a **Name** and, optionally, a **Description > Next**
-1. In the *Configuration settings* blade, complete the following:
- 1. For Certificate Type, select **User**
- 1. For Subject name format, set it to **CN={{UserPrincipalName}}**
- 1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**
- 1. For Certificate validity period, set a value of your choosing
- 1. For Key storage provider (KSP), select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
- 1. For Key usage, select **Digital Signature**
- 1. For Key size (bits), select **2048**
- 1. For Hash algorithm, select **SHA-2**
- 1. Under Root Certificate, select **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate
- 1. Under Extended key usage, add the following:
-
- | Name | Object Identifier | Predefined Values |
- |------|-------------------|-------------------|
- | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
- | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication |
-
- 1. For Renewal threshold (%), set a value of your choosing
- 1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure
- 1. Select **Next**
-1. In the *Assignments*, target the devices or users who should receive a certificate and select **Next**
-1. In the *Applicability Rules* blade, provide additional issuance restrictions if needed and select **Next**
-1. In the *Review + create* blade, select **Create**
+1. In the *Basics* blade, provide a **Name** and, optionally, a **Description > Next**
+1. In the *Configuration settings* blade, use the following table to configure the policy:
+ | Setting| Configurations |
+ | --- | --- |
+ |*Certificate Type*| User |
+ |*Subject name format* | `CN={{UserPrincipalName}}` |
+ |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}`
+ |*Certificate validity period* | Configure a value of your choosing|
+ |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
+ |*Key usage*| **Digital Signature**|
+ |*Key size (bits)* | **2048**|
+ |*For Hash algorithm*|**SHA-2**|
+ |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate|
+ |*Extended key usage*| - *Name:* **Smart Card Logon**
- *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
- *Predefined Values:* **Smart Card Logon**
- *Name:* **Client Authentication**
- *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
- *Predefined Values:* **Client Authentication**
|
+ |*Renewal threshold (%)*|Configure a value of your choosing|
+ |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
+1. Select **Next**
+1. In the *Assignments* bladeAssign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
+1. In the *Applicability Rules* blade, provide additional issuance restrictions, if needed, and select **Next**
+1. In the *Review + create* blade, review the policy configuration and select **Create**
For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
From 8934e8daf63c89b6565df7750b155d1f9804ec80 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 11:31:38 -0500
Subject: [PATCH 21/29] updates
---
.../hello-for-business/hello-deployment-rdp-certs.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index a4c916396b..7906bff218 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -134,6 +134,7 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
1. Select **Create**
1. In the *Basics* blade, provide a **Name** and, optionally, a **Description > Next**
1. In the *Configuration settings* blade, use the following table to configure the policy:
+
| Setting| Configurations |
| --- | --- |
|*Certificate Type*| User |
@@ -148,6 +149,7 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
|*Extended key usage*| - *Name:* **Smart Card Logon**
- *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
- *Predefined Values:* **Smart Card Logon**
- *Name:* **Client Authentication**
- *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
- *Predefined Values:* **Client Authentication**
|
|*Renewal threshold (%)*|Configure a value of your choosing|
|*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
+
1. Select **Next**
1. In the *Assignments* bladeAssign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
1. In the *Applicability Rules* blade, provide additional issuance restrictions, if needed, and select **Next**
From 0c7a343524108e27d4c0bf6d150d568d88003d69 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 15:07:47 -0500
Subject: [PATCH 22/29] updates
---
.../hello-for-business/toc.yml | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index ce82c50488..cefc91cf34 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -123,16 +123,16 @@
href: feature-multifactor-unlock.md
- name: Remote desktop (RDP) sign-in
href: hello-feature-remote-desktop.md
- - name: Troubleshooting
- items:
- - name: Known deployment issues
- href: hello-deployment-issues.md
- - name: Errors during PIN creation
- href: hello-errors-during-pin-creation.md
- - name: Event ID 300 - Windows Hello successfully created
- href: hello-event-300.md
- - name: Windows Hello and password changes
- href: hello-and-password-changes.md
+- name: Troubleshooting
+ items:
+ - name: Known deployment issues
+ href: hello-deployment-issues.md
+ - name: Errors during PIN creation
+ href: hello-errors-during-pin-creation.md
+ - name: Event ID 300 - Windows Hello successfully created
+ href: hello-event-300.md
+ - name: Windows Hello and password changes
+ href: hello-and-password-changes.md
- name: Reference
items:
- name: Technology and terminology
From ac28e5531dd2602796c9ffbf0102cedc7221fb75 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 16:03:39 -0500
Subject: [PATCH 23/29] updates
---
.../security/identity-protection/hello-for-business/toc.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index cefc91cf34..14efe63a1e 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -91,7 +91,7 @@
href: hello-key-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-key-trust-policy-settings.md
- - name: Active Directory domain join with certificate trust deployment
+ - name: Active Directory domain join with certificate trust
items:
- name: Certificate trust deployment
href: hello-deployment-cert-trust.md
@@ -105,7 +105,7 @@
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- - name: Deploy certificates for remote desktop (RDP) sign-in
+ - name: Deploy certificates for RDP sign-in
href: hello-deployment-rdp-certs.md
- name: Manage Windows Hello for Business in your organization
href: hello-manage-in-organization.md
From 662010199f8ba23bf957761ef864c3ac6af949e5 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 16:12:44 -0500
Subject: [PATCH 24/29] Acrolinx
---
.../hello-deployment-rdp-certs.md | 23 +++++++++++--------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 7906bff218..4e02c5471c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -28,7 +28,7 @@ This document describes Windows Hello for Business functionalities or scenarios
---
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
+Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
- Deploy certificates to hybrid or Azure AD-joined devices using Intune
@@ -39,7 +39,7 @@ Windows Hello for Business supports using a certificate as the supplied credenti
> [!NOTE]
> This process is applicable to *hybrid Azure AD joined* devices only.
-To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template* and then deploy certificates based on that template.
+To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
Expand the following sections to learn more about the process.
@@ -61,7 +61,7 @@ Follow these steps to create a certificate template:
| *Compatibility* | - Clear the **Show resulting changes** check box
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
|
| *General* | - Specify a **Template display name**, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
- | *Subject Name* | - Select the **Build from this Active Directory** information button if it is not already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
|
+ | *Subject Name* | - Select the **Build from this Active Directory** information button if it isn't already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
|
|*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
|
|*Cryptography*|- Set the Provider Category to **Key Storage Provider**
- Set the Algorithm name to **RSA**
- Set the minimum key size to **2048**
- Select **Requests must use one of the following providers**
- Select **Microsoft Software Key Storage Provider**
- Set the Request hash to **SHA256**
|
|*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
@@ -132,8 +132,8 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
1. Select **Devices > Configuration profiles > Create profile**
1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
1. Select **Create**
-1. In the *Basics* blade, provide a **Name** and, optionally, a **Description > Next**
-1. In the *Configuration settings* blade, use the following table to configure the policy:
+1. In the *Basics* panel, provide a **Name** and, optionally, a **Description > Next**
+1. In the *Configuration settings* panel, use the following table to configure the policy:
| Setting| Configurations |
| --- | --- |
@@ -151,9 +151,9 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
|*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
1. Select **Next**
-1. In the *Assignments* bladeAssign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
-1. In the *Applicability Rules* blade, provide additional issuance restrictions, if needed, and select **Next**
-1. In the *Review + create* blade, review the policy configuration and select **Create**
+1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
+1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next**
+1. In the *Review + create* panel, review the policy configuration and select **Create**
For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
@@ -174,7 +174,7 @@ Once the Intune policy is created, targeted clients will request a certificate d
## Using non-Microsoft Enterprise Certificate Authorities
-If you are using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
+If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.
@@ -182,7 +182,10 @@ The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a
## RDP Sign-in with Windows Hello for Business Certificate Authentication
-After adding the certificate using an approach from any of the previous sections, you can RDP to any Windows device or server in the same Forest as the user's Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
+After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account.
+
+> [!NOTE]
+> The certificate chain of the issuing CA must be trusted by the target server.
1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed
1. Attempt an RDP session to a target server
From 3c2669930795ee48dc24d68237b1e095cc5c9e51 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Nov 2022 16:30:40 -0500
Subject: [PATCH 25/29] updates
---
.../hello-for-business/hello-deployment-rdp-certs.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 4e02c5471c..282264de1e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -72,7 +72,7 @@ Follow these steps to create a certificate template:
1. Execute the following command, replacing `` with the **Template display name** noted above
```cmd
- certutil -dstemplate >
+ certutil.exe -dstemplate >
```
1. Open the text file created by the command above.
@@ -85,7 +85,7 @@ Follow these steps to create a certificate template:
1. Update the certificate template by executing the following command:
```cmd
- certutil -dsaddtemplate
+ certutil.exe -dsaddtemplate
```
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
@@ -108,7 +108,7 @@ Follow these steps to create a certificate template:
-## Deploy certificates via Microsoft Intune
+## Deploy certificates via Intune
> [!NOTE]
> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
@@ -172,7 +172,7 @@ Once the Intune policy is created, targeted clients will request a certificate d
-## Using non-Microsoft Enterprise Certificate Authorities
+## Use third-party certification authorities
If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
@@ -180,7 +180,7 @@ As an alternative to using SCEP or if none of the previously covered solutions w
The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate.
-## RDP Sign-in with Windows Hello for Business Certificate Authentication
+## RDP sign-in with Windows Hello for Business certificate authentication
After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account.
From e046339c22795f2dc589b336dd46afd64c885f9c Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Wed, 16 Nov 2022 16:02:32 -0700
Subject: [PATCH 26/29] Update
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
Line 24: Delete extra space.
---
.../hello-for-business/hello-deployment-rdp-certs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 282264de1e..21944d8198 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -21,7 +21,7 @@ ms.technology: itpro-security
This document describes Windows Hello for Business functionalities or scenarios that apply to:\
✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\
+✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [key trust](hello-how-it-works-technology.md#key-trust)\
✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
From fc383a31cbd4329cef16dc09a8a222a9e9dbfd61 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Wed, 16 Nov 2022 16:44:38 -0700
Subject: [PATCH 27/29] Update hello-deployment-rdp-certs.md
Add missing periods.
Delete unnecessary html break code.
Add missing pipes to tables.
---
.../hello-deployment-rdp-certs.md | 117 ++++++++----------
1 file changed, 55 insertions(+), 62 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 21944d8198..ee4350d328 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -20,14 +20,11 @@ ms.technology: itpro-security
# Deploy certificates for remote desktop (RDP) sign-in
This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [key trust](hello-how-it-works-technology.md#key-trust)\
-✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
-
-
+✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\.
+✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [key trust](hello-how-it-works-technology.md#key-trust)\.
+✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join).
---
-
Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
@@ -43,33 +40,32 @@ To deploy certificates using an on-premises Active Directory Certificate Service
Expand the following sections to learn more about the process.
-
Create a Windows Hello for Business certificate template
Follow these steps to create a certificate template:
-1. Sign in to your issuing certificate authority (CA) and open *Server Manager*
-1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens
-1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**
-1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane
-1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
+1. Sign in to your issuing certificate authority (CA) and open *Server Manager*.
+1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens.
+1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**.
+1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane.
+1. Right-click the **Smartcard Logon** template and select **Duplicate Template**.
1. Use the following table to configure the template:
| Tab Name | Configurations |
| --- | --- |
- | *Compatibility* | - Clear the **Show resulting changes** check box
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
|
- | *General* | - Specify a **Template display name**, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
|
- | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
- | *Subject Name* | - Select the **Build from this Active Directory** information button if it isn't already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
|
- |*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
|
- |*Cryptography*|- Set the Provider Category to **Key Storage Provider**
- Set the Algorithm name to **RSA**
- Set the minimum key size to **2048**
- Select **Requests must use one of the following providers**
- Select **Microsoft Software Key Storage Provider**
- Set the Request hash to **SHA256**
|
- |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
+ | *Compatibility* | - Clear the **Show resulting changes** check box.
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*.
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*.
|
+ | *General* | - Specify a **Template display name**, for example *WHfB Certificate Authentication*.
- Set the validity period to the desired value.
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example).
|
+ | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**.|
+ | *Subject Name* | - Select the **Build from this Active Directory** information button if it isn't already selected.
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected.
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
|
+ |*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose.
- Select the **Renew with same key** check box.
- Select **Prompt the user during enrollment**.
|
+ |*Cryptography*|- Set the Provider Category to **Key Storage Provider**.
- Set the Algorithm name to **RSA**.
- Set the minimum key size to **2048**.
- Select **Requests must use one of the following providers**.
- Select **Microsoft Software Key Storage Provider**.
- Set the Request hash to **SHA256**.
|
+ |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.|
-1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
-1. Close the Certificate Templates console
-1. Open an elevated command prompt and change to a temporary working directory
-1. Execute the following command, replacing `` with the **Template display name** noted above
+1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
+1. Close the Certificate Templates console.
+1. Open an elevated command prompt and change to a temporary working directory.
+1. Execute the following command, replacing `` with the **Template display name** noted above.
```cmd
certutil.exe -dstemplate >
@@ -80,31 +76,30 @@ Follow these steps to create a certificate template:
`CertUtil: -dsTemplate command completed successfully.`
- Modify the line that reads\
`pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to\
- `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
-1. Save the text file
+ `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`.
+1. Save the text file.
1. Update the certificate template by executing the following command:
```cmd
certutil.exe -dsaddtemplate
```
-1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
-1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list
-1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
+1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**.
+1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list.
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**.
-
Request a certificate
-1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
-1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
-1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**
-1. On the Certificate Enrollment screen, select **Next**
-1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next**
-1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**
-1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen
+1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA.
+1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`.
+1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**.
+1. On the Certificate Enrollment screen, select **Next**.
+1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next**.
+1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**.
+1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen.
@@ -115,60 +110,58 @@ Follow these steps to create a certificate template:
Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
-- [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1]
-- [Configure and use PKCS certificates with Intune][MEM-2]
+- [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1].
+- [Configure and use PKCS certificates with Intune][MEM-2].
Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
-
Create a policy in Intune
This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
-1. Go to the Microsoft Endpoint Manager admin center
-1. Select **Devices > Configuration profiles > Create profile**
-1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
-1. Select **Create**
-1. In the *Basics* panel, provide a **Name** and, optionally, a **Description > Next**
+1. Go to the Microsoft Endpoint Manager admin center.
+1. Select **Devices > Configuration profiles > Create profile**.
+1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**.
+1. Select **Create**.
+1. In the *Basics* panel, provide a **Name** and, optionally, a **Description > Next**.
1. In the *Configuration settings* panel, use the following table to configure the policy:
| Setting| Configurations |
| --- | --- |
|*Certificate Type*| User |
|*Subject name format* | `CN={{UserPrincipalName}}` |
- |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}`
+ |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}`.|
|*Certificate validity period* | Configure a value of your choosing|
- |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
+ |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**.|
|*Key usage*| **Digital Signature**|
|*Key size (bits)* | **2048**|
|*For Hash algorithm*|**SHA-2**|
- |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate|
+ |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate.|
|*Extended key usage*| - *Name:* **Smart Card Logon**
- *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
- *Predefined Values:* **Smart Card Logon**
- *Name:* **Client Authentication**
- *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
- *Predefined Values:* **Client Authentication**
|
- |*Renewal threshold (%)*|Configure a value of your choosing|
- |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
+ |*Renewal threshold (%)*|Configure a value of your choosing.|
+ |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure.|
-1. Select **Next**
-1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
-1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next**
-1. In the *Review + create* panel, review the policy configuration and select **Create**
+1. Select **Next**.
+1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**.
+1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next**.
+1. In the *Review + create* panel, review the policy configuration and select **Create**.
For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
-
Request a certificate
Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
-1. Sign in to a client targeted by the Intune policy
-1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
-1. In the left pane of the MMC, expand **Personal** and select **Certificates**
-1. In the right-hand pane of the MMC, check for the new certificate
+1. Sign in to a client targeted by the Intune policy.
+1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`.
+1. In the left pane of the MMC, expand **Personal** and select **Certificates**.
+1. In the right-hand pane of the MMC, check for the new certificate.
@@ -187,9 +180,9 @@ After obtaining a certificate, users can RDP to any Windows devices in the same
> [!NOTE]
> The certificate chain of the issuing CA must be trusted by the target server.
-1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed
-1. Attempt an RDP session to a target server
-1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate
+1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed.
+1. Attempt an RDP session to a target server.
+1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate.
[MEM-1]: /mem/intune/protect/certificates-scep-configure
[MEM-2]: /mem/intune/protect/certificates-pfx-configure
@@ -198,4 +191,4 @@ After obtaining a certificate, users can RDP to any Windows devices in the same
[MEM-5]: /mem/intune/protect/certificates-trusted-root
[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
-[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
\ No newline at end of file
+[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
From 46c544683e71f8741e4a64a039db1b689e2a3811 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Wed, 16 Nov 2022 16:51:46 -0700
Subject: [PATCH 28/29] Update hello-deployment-rdp-certs.md
Add html breaks back into the text before the expanding sections.
---
.../hello-for-business/hello-deployment-rdp-certs.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index ee4350d328..f03c067616 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -39,7 +39,7 @@ Windows Hello for Business supports using a certificate as the supplied credenti
To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
Expand the following sections to learn more about the process.
-
+
Create a Windows Hello for Business certificate template
@@ -90,6 +90,7 @@ Follow these steps to create a certificate template:
+
Request a certificate
@@ -116,7 +117,7 @@ Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may
Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
-
+
Create a policy in Intune
@@ -153,7 +154,7 @@ For more information how to configure SCEP policies, see [Configure SCEP certifi
To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
-
+
Request a certificate
Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
From 2cfea2498349b58dc7b54cd20125ee25b2ad0808 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Wed, 16 Nov 2022 16:58:52 -0700
Subject: [PATCH 29/29] Update hello-deployment-rdp-certs.md
Re-add more html breaks.
---
.../hello-for-business/hello-deployment-rdp-certs.md | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index f03c067616..c76d4169ea 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -24,6 +24,8 @@ This document describes Windows Hello for Business functionalities or scenarios
✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [key trust](hello-how-it-works-technology.md#key-trust)\.
✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join).
+
+
---
Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
@@ -39,7 +41,9 @@ Windows Hello for Business supports using a certificate as the supplied credenti
To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
Expand the following sections to learn more about the process.
+
+
Create a Windows Hello for Business certificate template
@@ -91,6 +95,7 @@ Follow these steps to create a certificate template:
+
Request a certificate
@@ -117,7 +122,9 @@ Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may
Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
+
+
Create a policy in Intune