diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
index 1c637eb2ae..61d6989d64 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@@ -38,10 +38,14 @@ typically configured via an MDM solution like Microsoft Intune, using the [Passp
> [!NOTE]
> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
-If the Intune tenant-wide policy is configured to disable Windows Hello for Business, or if devices are deployed with Windows Hello disabled, tThere's one policy setting required to enable Windows Hello for Business in a cloud-only trust model:
+If the Intune tenant-wide policy is configured to *disable Windows Hello for Business*, or if devices are deployed with Windows Hello disabled, you must configure one policy setting to enable Windows Hello for Business in a cloud-only trust model:
- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
+Another optional, but recommended, policy setting is:
+
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
+
Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
@@ -51,6 +55,7 @@ Follow the instructions below to configure your devices using either Microsoft I
| Category | Setting name | Value |
|--|--|--|
| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Require Security Device | true |
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@@ -59,6 +64,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
| Setting |
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -69,12 +75,8 @@ To configure a device with group policy, use the [Local Group Policy Editor](/pr
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
-> [!NOTE]
-> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
-
---
-
> [!TIP]
> If you're using Microsoft Intune, and you're not using the [tenant-wide policy](../configure.md#verify-the-tenant-wide-policy), enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see [Set up the Enrollment Status Page][MEM-1].
@@ -88,14 +90,17 @@ The Windows Hello for Business provisioning process begins immediately after a u
[!INCLUDE [user-experience](includes/user-experience.md)]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
## Disable automatic enrollment
If you want to disable the automatic Windows Hello for Business enrollment prompt, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment).
> [!NOTE]
-> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and configure this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and access the desktop without enrolling in Windows Hello for Business.
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/enrollment/windows-enrollment-status
[WIN-1]: /windows/client-management/mdm/passportforwork-csp
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
index 09fd055fad..f867a17938 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
@@ -9,7 +9,24 @@ ms.topic: tutorial
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
-After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+> [!div class="checklist"]
+> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
+> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
+
+## Configure Windows Hello for Business policy settings
+
+There are 2 policy setting required to enable Windows Hello for Business in a certificate trust model:
+
+- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
+- [Use certificate for on-premises authentication](../policy-settings.md#use-certificate-for-on-premises-authentication)
+
+Another optional, but recommended, policy setting is:
+
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
+
+Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -58,6 +75,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
|--|--|--|
| **Windows Hello for Business** | Use Passport For Work | true |
| **Windows Hello for Business** | Use Certificate For On Prem Auth | Enabled |
+| **Windows Hello for Business** | Require Security Device | true |
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@@ -67,11 +85,16 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
For more information about the certificate trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-certificate-for-on-premises-authentication).
---
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
+
+Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
## Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index 6ca9e7bf87..8253fa06a7 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -63,6 +63,10 @@ After setting up the Microsoft Entra Kerberos object, Windows Hello for business
- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
- [use-cloud-trust-for-on-premises-authentication](../policy-settings.md#use-cloud-trust-for-on-premises-authentication)
+Another optional, but recommended, policy setting is:
+
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
+
> [!IMPORTANT]
> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust takes precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured**.
@@ -81,6 +85,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you on
|--|--|--|
| **Windows Hello for Business** | Use Passport For Work | true |
| **Windows Hello for Business** | Use Cloud Trust For On Prem Auth | Enabled |
+| **Windows Hello for Business** | Require Security Device | true |
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@@ -90,6 +95,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -110,9 +116,6 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use cloud Kerberos trust for on-premises authentication| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
-> [!NOTE]
-> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
-
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
> [!TIP]
@@ -140,6 +143,8 @@ The cloud Kerberos trust prerequisite check detects whether the user has a parti
[!INCLUDE [user-experience](includes/user-experience.md)]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
Once a user completes enrollment with cloud Kerberos trust, the Windows Hello gesture can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index 063d728a16..ca9b68d447 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -9,7 +9,23 @@ ms.topic: tutorial
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
-After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+> [!div class="checklist"]
+> Once the prerequisites are met and the PKI configuration is validated, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
+> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
+
+## Configure Windows Hello for Business policy settings
+
+There's 1 policy setting required to enable Windows Hello for Business in a key trust model:
+
+- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
+
+Another optional, but recommended, policy setting is:
+
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
+
+Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
@@ -23,6 +39,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
| Category | Setting name | Value |
|--|--|--|
| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Require Security Device | true |
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@@ -31,6 +48,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
| Setting |
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -43,9 +61,6 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
-> [!NOTE]
-> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
-
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
> [!TIP]
@@ -53,8 +68,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
---
-> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
@@ -71,7 +85,6 @@ This information is also available using the `dsregcmd.exe /status` command from
[!INCLUDE [user-experience](includes/user-experience.md)]
-
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.
@@ -86,4 +99,3 @@ While the user has completed provisioning, Microsoft Entra Connect synchronizes
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/configuration/custom-settings-configure
-
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
index 2f57761598..2269b656e1 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
@@ -11,4 +11,3 @@ After a user signs in, the Windows Hello for Business enrollment process begins:
1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop.
-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
index c81529544e..6caaab48f4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
@@ -1,15 +1,32 @@
---
-title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
-description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
ms.date: 01/03/2024
ms.topic: tutorial
+title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
+description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
---
# Configure and enroll in Windows Hello for Business in an on-premises certificate trust model
[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
-After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using group policy (GPO).
+> [!div class="checklist"]
+> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
+> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
+
+## Configure Windows Hello for Business policy settings
+
+There are 2 policy setting required to enable Windows Hello for Business in a certificate trust model:
+
+- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
+- [Use certificate for on-premises authentication](../policy-settings.md#use-certificate-for-on-premises-authentication)
+
+Another optional, but recommended, policy setting is:
+
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
+
+Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
index 8f398ddc69..7b19f635dc 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
@@ -1,15 +1,29 @@
---
ms.date: 01/03/2024
+ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
-ms.topic: tutorial
---
# Configure and enroll in Windows Hello for Business in an on-premises key trust model
[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
-After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using group policy (GPO).
+> [!div class="checklist"]
+> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
+> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
+
+## Configure Windows Hello for Business policy settings
+
+There's 1 policy setting required to enable Windows Hello for Business in a key trust model:
+
+- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
+
+Another optional, but recommended, policy setting is:
+
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
@@ -20,9 +34,6 @@ After the prerequisites are met and the PKI and AD FS configurations are validat
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
-> [!NOTE]
-> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
-
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
> [!TIP]