From fabf1b6d14b37581fe381e8890bdbb45b66b125e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 29 Jan 2020 09:59:21 +0500 Subject: [PATCH 1/5] Update hello-hybrid-cert-whfb-settings-pki.md --- .../hello-hybrid-cert-whfb-settings-pki.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 7c4e019e6d..7631e6620b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -156,6 +156,26 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ > [!NOTE] > If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +> [!IMPORTANT] +> If the template was changed successfully, the output of the command will contain old and new values of the template parameters. New value must contain **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. For example: +> +> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication +> +> Old Value: +> msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) +> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +> TEMPLATE_SERVER_VER_WINBLUE< TEMPLATE_CLIENT_VER_WINBLUE< New Value: +> msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040) +> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +> TEMPLATE_SERVER_VER_WINBLUE< CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152) +> TEMPLATE_CLIENT_VER_WINBLUE< CertUtil: -dsTemplate command completed successfully." + ## Publish Templates ### Publish Certificate Templates to a Certificate Authority From 8985b4a89eff9cd639b3ea486ed3a79c4b06581f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 30 Jan 2020 12:05:15 +0500 Subject: [PATCH 2/5] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 7631e6620b..c627e71a66 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -157,7 +157,7 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ > If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. > [!IMPORTANT] -> If the template was changed successfully, the output of the command will contain old and new values of the template parameters. New value must contain **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. For example: +> If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: > > CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication > @@ -234,4 +234,3 @@ Sign-in to the certificate authority or management workstation with _Enterprise 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. Configure Windows Hello for Business settings: PKI (*You are here*) 6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - From 2f21dc1a5031a8a47a9ade95acf93af2c9a2f1b8 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 30 Mar 2020 08:24:44 +0500 Subject: [PATCH 3/5] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-hybrid-cert-whfb-settings-pki.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index c627e71a66..503bdf5c4c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -159,22 +159,22 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ > [!IMPORTANT] > If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: > -> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication -> -> Old Value: -> msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) -> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) -> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 -> TEMPLATE_SERVER_VER_WINBLUE< TEMPLATE_CLIENT_VER_WINBLUE< New Value: -> msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040) -> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) -> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 -> TEMPLATE_SERVER_VER_WINBLUE< CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152) -> TEMPLATE_CLIENT_VER_WINBLUE< CertUtil: -dsTemplate command completed successfully." +> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+>
+> Old Value:
+> msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+> TEMPLATE_SERVER_VER_WINBLUE< +> TEMPLATE_CLIENT_VER_WINBLUE< +> New Value:
+> msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040)
+> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+> TEMPLATE_SERVER_VER_WINBLUE< +> CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152)
+> TEMPLATE_CLIENT_VER_WINBLUE< +> CertUtil: -dsTemplate command completed successfully."
## Publish Templates From 69b1cedfd474115a1253ac6c7313aa2acefd98d6 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 28 Jul 2020 09:50:26 +0500 Subject: [PATCH 4/5] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-hybrid-cert-whfb-settings-pki.md | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 503bdf5c4c..4fe092f5bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -153,29 +153,28 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ 1. Open an elevated command prompt. 2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` +If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: + +CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication + +Old Value: +msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) +CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +TEMPLATE_SERVER_VER_WINBLUE< [!NOTE] > If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. -> [!IMPORTANT] -> If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: -> -> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
->
-> Old Value:
-> msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
-> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
-> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
-> TEMPLATE_SERVER_VER_WINBLUE< -> TEMPLATE_CLIENT_VER_WINBLUE< -> New Value:
-> msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040)
-> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
-> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
-> TEMPLATE_SERVER_VER_WINBLUE< -> CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152)
-> TEMPLATE_CLIENT_VER_WINBLUE< -> CertUtil: -dsTemplate command completed successfully."
- ## Publish Templates ### Publish Certificate Templates to a Certificate Authority From 789b160464e30d70db16a000dfe9fe4b760c3937 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 1 Aug 2020 07:25:51 +0500 Subject: [PATCH 5/5] Update hello-hybrid-cert-whfb-settings-pki.md --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 4fe092f5bc..dc5b78d9b1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -163,6 +163,7 @@ CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 TEMPLATE_SERVER_VER_WINBLUE<