mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
Restructuring Windows Hello for Business Docks
This commit is contained in:
Matthew Palko
parent
36c2c65cd7
commit
f22675ab6a
@ -18,7 +18,7 @@
|
||||
#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
|
||||
#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
|
||||
|
||||
## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
|
||||
## [Windows Hello for Business](hello-for-business/index.yml)
|
||||
|
||||
## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
|
||||
### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Multifactor Unlock
|
||||
title: Multi-factor Unlock
|
||||
description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
|
||||
ms.prod: w10
|
||||
@ -16,7 +16,7 @@ localizationpriority: medium
|
||||
ms.date: 03/20/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
# Multifactor Unlock
|
||||
# Multi-factor Unlock
|
||||
|
||||
**Applies to:**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Windows Hello for Business Deployment Guide
|
||||
title: Windows Hello for Business Deployment Overview
|
||||
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
|
||||
keywords: identity, PIN, biometric, Hello, passport
|
||||
ms.prod: w10
|
||||
@ -13,28 +13,35 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
localizationpriority: medium
|
||||
ms.date: 08/29/2018
|
||||
ms.date: 01/21/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
# Windows Hello for Business Deployment Guide
|
||||
# Windows Hello for Business Deployment Overview
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
|
||||
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
|
||||
|
||||
This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
|
||||
This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
|
||||
|
||||
Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment.
|
||||
|
||||
> [!NOTE]
|
||||
> Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
|
||||
|
||||
## Assumptions
|
||||
|
||||
This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
|
||||
* A well-connected, working network
|
||||
* Internet access
|
||||
* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
|
||||
* Proper name resolution, both internal and external names
|
||||
* Active Directory and an adequate number of domain controllers per site to support authentication
|
||||
* Active Directory Certificate Services 2012 or later
|
||||
* One or more workstation computers running Windows 10, version 1703
|
||||
This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
|
||||
|
||||
- A well-connected, working network
|
||||
- Internet access
|
||||
- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning
|
||||
- Proper name resolution, both internal and external names
|
||||
- Active Directory and an adequate number of domain controllers per site to support authentication
|
||||
- Active Directory Certificate Services 2012 or later
|
||||
- One or more workstation computers running Windows 10, version 1703
|
||||
|
||||
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
|
||||
|
||||
@ -46,15 +53,17 @@ Windows Hello for Business has three deployment models: Cloud, hybrid, and on-pr
|
||||
|
||||
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
|
||||
|
||||
The trust model determines how you want users to authenticate to the on-premises Active Directory:
|
||||
* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
|
||||
* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
|
||||
* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
|
||||
The trust model determines how you want users to authenticate to the on-premises Active Directory:
|
||||
|
||||
- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
|
||||
- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
|
||||
- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
|
||||
|
||||
> [!NOTE]
|
||||
> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
|
||||
|
||||
Following are the various deployment guides and models included in this topic:
|
||||
|
||||
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
|
||||
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
|
||||
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
---
|
||||
title: Windows Hello for Business Features
|
||||
description: Consider additional features you can use after your organization deploys Windows Hello for Business.
|
||||
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
|
||||
ms.reviewer:
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security, mobile
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
localizationpriority: medium
|
||||
ms.date: 11/27/2019
|
||||
---
|
||||
# Windows Hello for Business Features
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
|
||||
Consider these additional features you can use after your organization deploys Windows Hello for Business.
|
||||
|
||||
## Conditional access
|
||||
|
||||
Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md).
|
||||
|
||||
## Dynamic lock
|
||||
|
||||
Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md).
|
||||
|
||||
## PIN reset
|
||||
|
||||
Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md).
|
||||
|
||||
## Dual Enrollment
|
||||
|
||||
This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md).
|
||||
|
||||
## Remote Desktop
|
||||
|
||||
Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Windows Hello for Business](hello-identity-verification.md)
|
||||
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
|
||||
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
|
||||
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
|
||||
- [Windows Hello and password changes](hello-and-password-changes.md)
|
||||
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
|
||||
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
|
||||
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
|
||||
@ -1,49 +0,0 @@
|
||||
---
|
||||
title: How Windows Hello for Business works - Technical Deep Dive
|
||||
description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services.
|
||||
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
audience: ITPro
|
||||
author: mapalko
|
||||
ms.author: mapalko
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
localizationpriority: medium
|
||||
ms.date: 08/19/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
# Technical Deep Dive
|
||||
|
||||
**Applies to:**
|
||||
- Windows 10
|
||||
|
||||
Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
|
||||
- [Registration](#registration)
|
||||
- [Provisioning](#provisioning)
|
||||
- [Authentication](#authentication)
|
||||
|
||||
## Registration
|
||||
|
||||
Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
|
||||
|
||||
[How Device Registration Works](hello-how-it-works-device-registration.md)
|
||||
|
||||
|
||||
## Provisioning
|
||||
|
||||
Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.<br>
|
||||
After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.<br>
|
||||
For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.<br>
|
||||
Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page.
|
||||
|
||||
[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md)
|
||||
|
||||
## Authentication
|
||||
|
||||
Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
|
||||
|
||||
[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
|
||||
@ -19,7 +19,7 @@ ms.reviewer:
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
|
||||
Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
|
||||
|
||||
@ -28,20 +28,37 @@ Watch this quick video where Pieter Wigleven gives a simple explanation of how W
|
||||
|
||||
## Technical Deep Dive
|
||||
|
||||
Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
|
||||
Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
|
||||
|
||||
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
|
||||
### Device Registration
|
||||
|
||||
Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
|
||||
|
||||
For more information read [how device registration works](hello-how-it-works-device-registration.md).
|
||||
|
||||
### Provisioning
|
||||
|
||||
Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
|
||||
|
||||
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
|
||||
|
||||
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
|
||||
|
||||
For more information read [how provisioning works](hello-how-it-works-provisioning.md).
|
||||
|
||||
### Authentication
|
||||
|
||||
Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
|
||||
|
||||
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
|
||||
|
||||
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
|
||||
|
||||
- [Technology and Terminology](hello-how-it-works-technology.md)
|
||||
- [Device Registration](hello-how-it-works-device-registration.md)
|
||||
- [Provisioning](hello-how-it-works-provisioning.md)
|
||||
- [Authentication](hello-how-it-works-authentication.md)
|
||||
For more information read [how authentication works](hello-how-it-works-authentication.md).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Technology and Terminology](hello-how-it-works-technology.md)
|
||||
- [Windows Hello for Business](hello-identity-verification.md)
|
||||
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
|
||||
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Windows Hello for Business (Windows 10)
|
||||
description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices.
|
||||
title: Windows Hello for Business Deployment Prerequisite Overview
|
||||
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
|
||||
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
|
||||
ms.reviewer:
|
||||
keywords: identity, PIN, biometric, Hello, passport
|
||||
@ -15,29 +15,14 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
localizationpriority: medium
|
||||
ms.date: 05/05/2018
|
||||
ms.date: 1/22/2021
|
||||
---
|
||||
|
||||
# Windows Hello for Business
|
||||
# Windows Hello for Business Deployment Prerequisite Overview
|
||||
|
||||
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.</br>
|
||||
Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
|
||||
This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
|
||||
|
||||
Windows Hello addresses the following problems with passwords:
|
||||
|
||||
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
|
||||
- Server breaches can expose symmetric network credentials (passwords).
|
||||
- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
|
||||
- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
|
||||
|
||||
> | | | |
|
||||
> | :---: | :---: | :---: |
|
||||
> | [](hello-overview.md)</br>[Overview](hello-overview.md) | [](hello-why-pin-is-better-than-password.md)</br>[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [](hello-manage-in-organization.md)</br>[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
|
||||
|
||||
|
||||
## Prerequisites
|
||||
|
||||
### Cloud Only Deployment
|
||||
## Cloud Only Deployment
|
||||
|
||||
* Windows 10, version 1511 or later
|
||||
* Microsoft Azure Account
|
||||
@ -46,9 +31,9 @@ Windows Hello addresses the following problems with passwords:
|
||||
* Modern Management (Intune or supported third-party MDM), *optional*
|
||||
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
|
||||
|
||||
### Hybrid Deployments
|
||||
## Hybrid Deployments
|
||||
|
||||
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
|
||||
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
|
||||
|
||||
| Key trust</br>Group Policy managed | Certificate trust</br>Mixed managed | Key trust</br>Modern managed | Certificate trust</br>Modern managed |
|
||||
| --- | --- | --- | --- |
|
||||
@ -76,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
|
||||
> Reset above lock screen - Windows 10, version 1709, Professional</br>
|
||||
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
|
||||
|
||||
### On-premises Deployments
|
||||
## On-premises Deployments
|
||||
|
||||
The table shows the minimum requirements for each deployment.
|
||||
|
||||
|
||||
@ -19,13 +19,15 @@ ms.reviewer:
|
||||
# Planning a Windows Hello for Business Deployment
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
- Windows 10
|
||||
|
||||
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
|
||||
|
||||
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
|
||||
|
||||
If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
|
||||
> [!Note]
|
||||
>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
|
||||
|
||||
## Using this guide
|
||||
|
||||
@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on
|
||||
Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
|
||||
|
||||
There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are:
|
||||
* Deployment Options
|
||||
* Client
|
||||
* Management
|
||||
* Active Directory
|
||||
* Public Key Infrastructure
|
||||
* Cloud
|
||||
|
||||
- Deployment Options
|
||||
- Client
|
||||
- Management
|
||||
- Active Directory
|
||||
-Public Key Infrastructure
|
||||
- Cloud
|
||||
|
||||
### Baseline Prerequisites
|
||||
|
||||
@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza
|
||||
There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
|
||||
|
||||
##### Cloud only
|
||||
|
||||
The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure.
|
||||
|
||||
##### Hybrid
|
||||
|
||||
The hybrid deployment model is for organizations that:
|
||||
* Are federated with Azure Active Directory
|
||||
* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
|
||||
* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
|
||||
|
||||
- Are federated with Azure Active Directory
|
||||
- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
|
||||
- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
|
||||
|
||||
> [!Important]
|
||||
> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.</br>
|
||||
|
||||
@ -0,0 +1,113 @@
|
||||
### YamlMime:Landing
|
||||
|
||||
title: Windows Hello for Business documentation
|
||||
summary: Learn how to manage and deploy Windows Hello for Business.
|
||||
|
||||
metadata:
|
||||
title: Windows Hello for Business documentation
|
||||
description: Learn how to manage and deploy Windows Hello for Business.
|
||||
ms.prod: w10
|
||||
ms.topic: landing-page
|
||||
author: mapalko
|
||||
manager: dansimp
|
||||
ms.author: mapalko
|
||||
ms.date: 01/22/2021
|
||||
ms.collection: M365-identity-device-management
|
||||
|
||||
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
|
||||
|
||||
landingContent:
|
||||
# Cards and links should be based on top customer tasks or top subjects
|
||||
# Start card title with a verb
|
||||
# Card
|
||||
- title: About Windows Hello For Business
|
||||
linkLists:
|
||||
- linkListType: overview
|
||||
links:
|
||||
- text: Windows Hello for Business Overview
|
||||
url: hello-overview.md
|
||||
- linkListType: concept
|
||||
links:
|
||||
- text: Passwordless Strategy
|
||||
url: passwordless-strategy.md
|
||||
- text: Why a PIN is better than a password
|
||||
url: hello-why-pin-is-better-than-password.md
|
||||
- text: Windows Hello biometrics in the enterprise
|
||||
url: hello-biometrics-in-enterprise.md
|
||||
- text: How Windows Hello for Business works
|
||||
url: hello-how-it-works.md
|
||||
-linkListType: learn
|
||||
links:
|
||||
- text: Technical Deep Dive - Device Registration
|
||||
url: hello-how-it-works-device-registration.md
|
||||
- text: Technical Deep Dive - Provisioning
|
||||
url: hello-how-it-works-provisioning.md
|
||||
- text: Technical Deep Dive - Authentication
|
||||
url: hello-how-it-works-authentication.md
|
||||
- text: Technology and Terminology
|
||||
url: hello-how-it-works-technology.md
|
||||
- text: Frequently Asked Questions (FAQ)
|
||||
url: hello-faq.yml
|
||||
|
||||
# Card
|
||||
- title: Configure and manage Windows Hello for Business
|
||||
linkLists:
|
||||
- linkListType: concept
|
||||
links:
|
||||
- text: Windows Hello for Business Deployment Overview
|
||||
url: hello-deployment-guide.md
|
||||
- text: Planning a Windows Hello for Business Deployment
|
||||
url: hello-planning-guide.md
|
||||
- text: Deployment Prerequisite Overview
|
||||
url: hello-identity-verification.md
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: Hybrid Azure AD Joined Key Trust Deployment
|
||||
url: hello-hybrid-key-trust.md
|
||||
- text: Hybrid Azure AD Joined Certificate Trust Deployment
|
||||
url: hello-hybrid-cert-trust.md
|
||||
- text: On-premises SSO for Azure AD Joined Devices
|
||||
url: hello-hybrid-aadj-sso.md
|
||||
- text: On-premises Key Trust Deployment
|
||||
url: hello-deployment-key-trust.md
|
||||
- text: On-premises Certificate Trust Deployment
|
||||
url: hello-deployment-cert-trust.md
|
||||
- linkListType: learn
|
||||
links:
|
||||
- text: Manage Windows Hello for Business in your organization
|
||||
url: hello-manage-in-organization.md
|
||||
- text: Windows Hello and password changes
|
||||
url: hello-and-password-changes.md
|
||||
- text: Prepare people to use Windows Hello
|
||||
url: hello-prepare-people-to-use.md
|
||||
|
||||
# Card
|
||||
- title: Windows Hello for Business Features
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: Conditional Access
|
||||
url: hello-feature-conditional-access.md
|
||||
- text: PIN Reset
|
||||
url: hello-feature-pin-reset.m
|
||||
- text: Dual Enrollment
|
||||
url: hello-feature-dual-enrollment.md
|
||||
- text: Dynamic Lock
|
||||
url: hello-feature-dynamic-lock.md
|
||||
- text: Multi-factor Unlock
|
||||
url: feature-multifactor-unlock.md
|
||||
- text: Remote Desktop
|
||||
url: hello-feature-remote-desktop.md
|
||||
|
||||
# Card
|
||||
- title: Windows Hello for Business Troubleshooting
|
||||
linkLists:
|
||||
- linkListType: concept
|
||||
links:
|
||||
- text: Known Deployment Issues
|
||||
url: hello-deployment-issues.md
|
||||
- text: Errors During PIN Creation
|
||||
url: hello-errors-during-pin-creation.md
|
||||
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# [Windows Hello for Business](hello-identity-verification.md)
|
||||
|
||||
## [Password-less Strategy](passwordless-strategy.md)
|
||||
## [Passwordless Strategy](passwordless-strategy.md)
|
||||
|
||||
## [Windows Hello for Business Overview](hello-overview.md)
|
||||
## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
|
||||
@ -10,7 +10,7 @@
|
||||
### [Conditional Access](hello-feature-conditional-access.md)
|
||||
### [Dual Enrollment](hello-feature-dual-enrollment.md)
|
||||
### [Dynamic Lock](hello-feature-dynamic-lock.md)
|
||||
### [Multifactor Unlock](feature-multifactor-unlock.md)
|
||||
### [Multi-factor Unlock](feature-multifactor-unlock.md)
|
||||
### [PIN Reset](hello-feature-pin-reset.md)
|
||||
### [Remote Desktop](hello-feature-remote-desktop.md)
|
||||
|
||||
|
||||
@ -0,0 +1,18 @@
|
||||
- name: Windows Hello for Business documentation
|
||||
href: index.yml
|
||||
- name: Overview
|
||||
items:
|
||||
- name: Windows Hello for Business Overview
|
||||
href: hello-overview.md
|
||||
- name: Concepts
|
||||
items:
|
||||
- name:
|
||||
href:
|
||||
- name: How-to Guides
|
||||
items:
|
||||
- name:
|
||||
href:
|
||||
- name: Reference
|
||||
items:
|
||||
- name:
|
||||
href:
|
||||
@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and
|
||||
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
|
||||
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
|
||||
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
|
||||
| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
|
||||
| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
|
||||
| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user