From 368d17ba0cab67822bbafe02ad13f8d3abc752f3 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 15 Mar 2023 20:37:28 -0700 Subject: [PATCH 1/4] Tweak --- .../windows-autopatch/overview/windows-autopatch-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 3b9a3b050f..5d20f51af7 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -72,7 +72,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Enterprise application name | Usage | Permissions | | ----- | ----- | ----- | -| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | | +| Modern Workplace Management | The Modern Workplace Management application: | | ### Service accounts From e881020ec1bec04508d6fa1aab3d87d6a0081e75 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 15 Mar 2023 20:40:32 -0700 Subject: [PATCH 2/4] you pea brain --- .../windows-autopatch/overview/windows-autopatch-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 5d20f51af7..46198efe32 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -68,7 +68,7 @@ For more information about how Windows diagnostic data is used, see: ## Tenant access -Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service. | Enterprise application name | Usage | Permissions | | ----- | ----- | ----- | From 6b2d1215614780ff4e36e3510a2729d04759f8a2 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 15 Mar 2023 20:42:58 -0700 Subject: [PATCH 3/4] sigh... --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index fed0830f19..b330342957 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -23,7 +23,7 @@ The following configuration details explain the changes made to your tenant when Enterprise applications are applications (software) that a business uses to do its work. -Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service. | Enterprise application name | Usage | Permissions | | ----- | ------ | ----- | From bb314ba9d25284d1646ab0d9721887db91477f5a Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 16 Mar 2023 07:40:16 -0400 Subject: [PATCH 4/4] update to WHFK hybrid cert trust to include device write-back and device auth for AD FS --- .../hello-hybrid-cert-trust.md | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index b8a7d72fe0..02c36f3fbe 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid certificate trust deployment description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 12/28/2022 +ms.date: 03/16/2023 appliesto: - ✅ Windows 10 and later - ✅ Windows Server 2016 and later @@ -19,7 +19,7 @@ This deployment guide describes how to deploy Windows Hello for Business in a hy > [!IMPORTANT] > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md). -It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. +It's recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. ## Prerequisites The following prerequisites must be met for a hybrid certificate trust deployment: @@ -64,18 +64,20 @@ Once you have your AD FS design ready: The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). -### Device registration +### Device registration and device write-back Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\ -For *hybrid Azure AD joined* devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page. +For hybrid Azure AD joined devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page. -Hybrid certificate trust deployments need the device write back feature. Authentication to AD FS needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back. +Refer to the [Configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about using Azure AD Connect Sync to configure Azure AD device registration.\ +For a **manual configuration** of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide. + +Hybrid certificate trust deployments require the *device write-back* feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back. > [!NOTE] -> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the msDS-KeyCredentialLink attribute on the computer object. +> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object. -Refer to the [configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about setting up Azure AD Connect Sync to support Azure AD device registration. -For a manual configuration of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide. +If you manually configured AD FS, or if you ran Azure AD Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5]. ### Public Key Infrastructure @@ -129,4 +131,5 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr [SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa [SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm [SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts -[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2 \ No newline at end of file +[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2 +[SER-5]: /windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises#configure-device-write-back-and-device-authentication \ No newline at end of file