From f6a4b8c0bad73f2d58436e4581a0bbfa70f73f2a Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sat, 16 Dec 2023 08:54:11 -0500 Subject: [PATCH] Update Windows Hello for Business links --- .../hello-for-business/deploy/hybrid-cert-trust.md | 2 +- .../deploy/hybrid-cloud-kerberos-trust.md | 2 +- .../deploy/hybrid-key-trust-enroll.md | 2 +- .../deploy/hybrid-key-trust-pki.md | 4 +++- .../{ => deploy}/images/event358.png | Bin .../hello-for-business/deploy/index.md | 4 ++-- .../hello-biometrics-in-enterprise.md | 4 +--- .../hello-how-it-works-technology.md | 4 ++-- .../hello-for-business/hello-how-it-works.md | 2 +- .../hello-for-business/hello-planning-guide.md | 2 +- .../hello-prepare-people-to-use.md | 2 +- 11 files changed, 14 insertions(+), 14 deletions(-) rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/event358.png (100%) diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md index 36eb5fa683..da5c1e134a 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md @@ -20,7 +20,7 @@ Hybrid environments are distributed systems that enable organizations to use on- This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario. > [!IMPORTANT] -> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-cloud-kerberos-trust.md). +> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index f6e7a28d29..c53e872bb1 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -45,7 +45,7 @@ When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *Azur :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server "::: For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\ -For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust). +For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](../hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust). > [!IMPORTANT] > When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md index f334ccb78a..10b8e56a94 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md @@ -100,7 +100,7 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv > [!NOTE] > Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*. -> +> > For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business). ### Configure security for GPO diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md index 299039ae2e..a32c3b4e05 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md @@ -53,6 +53,7 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser > [!IMPORTANT] > For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to: +> > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune > - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL @@ -74,7 +75,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen 1. Close the console > [!IMPORTANT] -> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md). +> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md). ## Configure and deploy certificates to domain controllers @@ -89,6 +90,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen Before moving to the next section, ensure the following steps are complete: > [!div class="checklist"] +> > - Configure domain controller certificates > - Supersede existing domain controller certificates > - Unpublish superseded certificate templates diff --git a/windows/security/identity-protection/hello-for-business/images/event358.png b/windows/security/identity-protection/hello-for-business/deploy/images/event358.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/event358.png rename to windows/security/identity-protection/hello-for-business/deploy/images/event358.png diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md index 1ac0f82f03..46c44a5c62 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/index.md +++ b/windows/security/identity-protection/hello-for-business/deploy/index.md @@ -51,11 +51,11 @@ Following are the various deployment guides and models included in this topic: - [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md) - [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md) - [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md) -- [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) +- [Microsoft Entra join Single Sign-on Deployment Guides](../hello-hybrid-aadj-sso.md) - [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md) - [On Premises Certificate Trust Deployment](on-premises-cert-trust.md) -For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments. +For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](on-premises-cert-trust-mfa.md) deployments. ## Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 0a441f9e0c..d80393b040 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -25,9 +25,7 @@ The Windows Hello authenticator works to authenticate and allow employees onto y Windows Hello provides many benefits, including: - It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge. - - Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords! - - Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. ## Where is Windows Hello data stored? @@ -80,7 +78,7 @@ To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All H ## Related topics -- [Windows Hello for Business](requirements.md) +- [Windows Hello for Business](deploy/requirements.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 481b9e8a63..3ed49353ea 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -106,7 +106,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while ### Related to cloud experience host -- [Windows Hello for Business](requirements.md) +- [Windows Hello for Business](deploy/requirements.md) - [Managed Windows Hello in organization](hello-manage-in-organization.md) ### More information on cloud experience host @@ -131,7 +131,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme ### More information about cloud Kerberos trust -[Cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md) +[Cloud Kerberos trust deployment](deploy/hybrid-cloud-kerberos-trust.md) ## Deployment type diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 629c651006..d8f299c354 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -44,7 +44,7 @@ For more information read [how authentication works](hello-how-it-works-authenti ## Related topics - [Technology and Terminology](hello-how-it-works-technology.md) -- [Windows Hello for Business](requirements.md) +- [Windows Hello for Business](deploy/requirements.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index db7b0b3eff..55a70b9a89 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -82,7 +82,7 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. > [!NOTE] -> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-cloud-kerberos-trust.md). +> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](deploy/hybrid-cloud-kerberos-trust.md). The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 094d134856..52459fe655 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -44,7 +44,7 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci ## Related topics -- [Windows Hello for Business](requirements.md) +- [Windows Hello for Business](deploy/requirements.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)