deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update Windows Hello for Business deployment instructions

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-01-02 11:11:14 -05:00
parent b355b5ccae
commit fc70f1ea34
7 changed files with 99 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
View File

@ -38,10 +38,14 @@ typically configured via an MDM solution like Microsoft Intune, using the [Passp
> [!NOTE]
> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
If the Intune tenant-wide policy is configured to disable Windows Hello for Business, or if devices are deployed with Windows Hello disabled, tThere's one policy setting required to enable Windows Hello for Business in a cloud-only trust model:
If the Intune tenant-wide policy is configured to *disable Windows Hello for Business*, or if devices are deployed with Windows Hello disabled, you must configure one policy setting to enable Windows Hello for Business in a cloud-only trust model:
- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
Another optional, but recommended, policy setting is:
- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
@ -51,6 +55,7 @@ Follow the instructions below to configure your devices using either Microsoft I
| Category | Setting name | Value |
|--|--|--|
| **Windows Hello for Business** | Use Passport For Work | true |
| **Windows Hello for Business** | Require Security Device | true |
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@ -59,6 +64,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
| Setting |
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`<br>- **Data type:** `bool`<br>- **Value:** `True`|
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@ -69,12 +75,8 @@ To configure a device with group policy, use the [Local Group Policy Editor](/pr
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**<br>or<br> **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
> [!NOTE]
> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
---
> [!TIP]
> If you're using Microsoft Intune, and you're not using the [tenant-wide policy](../configure.md#verify-the-tenant-wide-policy), enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see [Set up the Enrollment Status Page][MEM-1].
@ -88,14 +90,17 @@ The Windows Hello for Business provisioning process begins immediately after a u
[!INCLUDE [user-experience](includes/user-experience.md)]
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
## Disable automatic enrollment
If you want to disable the automatic Windows Hello for Business enrollment prompt, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment).
> [!NOTE]
> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and configure this cancellation with registry keys to prevent future prompts.
> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and access the desktop without enrolling in Windows Hello for Business.
<!--links-->
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/enrollment/windows-enrollment-status
[WIN-1]: /windows/client-management/mdm/passportforwork-csp

25
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
View File

@ -9,7 +9,24 @@ ms.topic: tutorial
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
> [!div class="checklist"]
> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:
>
> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
## Configure Windows Hello for Business policy settings
There are 2 policy setting required to enable Windows Hello for Business in a certificate trust model:
- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
- [Use certificate for on-premises authentication](../policy-settings.md#use-certificate-for-on-premises-authentication)
Another optional, but recommended, policy setting is:
- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@ -58,6 +75,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
|--|--|--|
| **Windows Hello for Business** | Use Passport For Work | true |
| **Windows Hello for Business** | Use Certificate For On Prem Auth | Enabled |
| **Windows Hello for Business** | Require Security Device | true |
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@ -67,11 +85,16 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth`<br>- **Data type:** `bool`<br>- **Value:** `True`|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`<br>- **Data type:** `bool`<br>- **Value:** `True`|
For more information about the certificate trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-certificate-for-on-premises-authentication).
---
If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
## Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.

11
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -63,6 +63,10 @@ After setting up the Microsoft Entra Kerberos object, Windows Hello for business
- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
- [use-cloud-trust-for-on-premises-authentication](../policy-settings.md#use-cloud-trust-for-on-premises-authentication)
Another optional, but recommended, policy setting is:
- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
> [!IMPORTANT]
> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust takes precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured**.
@ -81,6 +85,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you on
|--|--|--|
| **Windows Hello for Business** | Use Passport For Work | true |
| **Windows Hello for Business** | Use Cloud Trust For On Prem Auth | Enabled |
| **Windows Hello for Business** | Require Security Device | true |
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@ -90,6 +95,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth`<br>- **Data type:** `bool`<br>- **Value:** `True`|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`<br>- **Data type:** `bool`<br>- **Value:** `True`|
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@ -110,9 +116,6 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use cloud Kerberos trust for on-premises authentication| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
> [!NOTE]
> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
> [!TIP]
@ -140,6 +143,8 @@ The cloud Kerberos trust prerequisite check detects whether the user has a parti
[!INCLUDE [user-experience](includes/user-experience.md)]
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
Once a user completes enrollment with cloud Kerberos trust, the Windows Hello gesture can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.

28
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
View File

@ -9,7 +9,23 @@ ms.topic: tutorial
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
> [!div class="checklist"]
> Once the prerequisites are met and the PKI configuration is validated, deploying Windows Hello for Business consists of the following steps:
>
> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
## Configure Windows Hello for Business policy settings
There's 1 policy setting required to enable Windows Hello for Business in a key trust model:
- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
Another optional, but recommended, policy setting is:
- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
@ -23,6 +39,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
| Category | Setting name | Value |
|--|--|--|
| **Windows Hello for Business** | Use Passport For Work | true |
| **Windows Hello for Business** | Require Security Device | true |
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@ -31,6 +48,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
| Setting |
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|
| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`<br>- **Data type:** `bool`<br>- **Value:** `True`|
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@ -43,9 +61,6 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**<br>or<br> **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
> [!NOTE]
> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
> [!TIP]
@ -53,8 +68,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
---
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
@ -71,7 +85,6 @@ This information is also available using the `dsregcmd.exe /status` command from
[!INCLUDE [user-experience](includes/user-experience.md)]
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.
@ -86,4 +99,3 @@ While the user has completed provisioning, Microsoft Entra Connect synchronizes
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/configuration/custom-settings-configure

1
windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
View File

@ -11,4 +11,3 @@ After a user signs in, the Windows Hello for Business enrollment process begins:
1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop.
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]

23
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
View File

@ -1,15 +1,32 @@
---
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
ms.date: 01/03/2024
ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
---
# Configure and enroll in Windows Hello for Business in an on-premises certificate trust model
[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using group policy (GPO).
> [!div class="checklist"]
> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:
>
> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
## Configure Windows Hello for Business policy settings
There are 2 policy setting required to enable Windows Hello for Business in a certificate trust model:
- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
- [Use certificate for on-premises authentication](../policy-settings.md#use-certificate-for-on-premises-authentication)
Another optional, but recommended, policy setting is:
- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]

21
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
View File

@ -1,15 +1,29 @@
---
ms.date: 01/03/2024
ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
ms.topic: tutorial
---
# Configure and enroll in Windows Hello for Business in an on-premises key trust model
[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using group policy (GPO).
> [!div class="checklist"]
> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:
>
> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
## Configure Windows Hello for Business policy settings
There's 1 policy setting required to enable Windows Hello for Business in a key trust model:
- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
Another optional, but recommended, policy setting is:
- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
@ -20,9 +34,6 @@ After the prerequisites are met and the PKI and AD FS configurations are validat
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**<br>or<br> **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
> [!NOTE]
> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
> [!TIP]