deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 14847: customer issues plus Whiteboard update

Browse Source
This commit is contained in:
Jeanie Decker
2019-03-18 17:45:46 +00:00
parent 2a06c76040
commit fc7cf61571
10 changed files with 45 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
devices/surface-hub/TOC.md
View File

@ -32,7 +32,7 @@
#### [Wireless network management](wireless-network-management-for-surface-hub.md) #### [Wireless network management](wireless-network-management-for-surface-hub.md)
### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) ### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
### [Configure Surface Hub Start menu](surface-hub-start-menu.md) ### [Configure Surface Hub Start menu](surface-hub-start-menu.md)
### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) ### [Set up and use Microsoft Whiteboard](whiteboard-collaboration.md)
### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md) ### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) ### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md)
### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)

2
devices/surface-hub/manage-surface-hub.md
View File

@ -32,7 +32,7 @@ Learn about managing and updating Surface Hub.
| [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network | | [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.| | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.|
[Configure Surface Hub Start menu](surface-hub-start-menu.md) | Use MDM to customize the Start menu for Surface Hub. [Configure Surface Hub Start menu](surface-hub-start-menu.md) | Use MDM to customize the Start menu for Surface Hub.
| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboards latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. | | [Set up and use Microsoft Whiteboard](whiteboard-collaboration.md) | Microsoft Whiteboards latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. |
| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.| | [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
| [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. | | [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. |
| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|

16
devices/surface-hub/whiteboard-collaboration.md
View File

@ -1,27 +1,29 @@
--- ---
title: Set up and use Whiteboard to Whiteboard collaboration title: Set up and use Microsoft Whiteboard
description: Microsoft Whiteboards latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. description: Microsoft Whiteboards latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
ms.prod: surface-hub ms.prod: surface-hub
ms.sitesec: library ms.sitesec: library
author: jdeckerms author: jdeckerms
ms.author: jdecker ms.author: jdecker
ms.topic: article ms.topic: article
ms.date: 07/12/2018 ms.date: 03/18/2019
ms.localizationpriority: medium ms.localizationpriority: medium
--- ---
# Set up and use Whiteboard to Whiteboard collaboration (Surface Hub) # Set up and use Microsoft Whiteboard
The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board.
>[!IMPORTANT] >[!IMPORTANT]
>A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen cannot collaborate with the new version that can be installed on the PC. If people in your organization install the new Whiteboard on their PCs, you must install the new Whiteboard on Surface Hub to enable collaboration. To learn more about installing the new Whiteboard on your Surface Hub, see [Whiteboard on Surface Hub opt-in](https://go.microsoft.com/fwlink/p/?LinkId=2004277). >A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen has been renamed **Microsoft Whiteboard 2016**. Microsoft Whiteboard 2016 will be automatically upgraded by May 21, 2019, and the collaboration service for the legacy app will stop functioning after June 7, 2019. For more details, see [Enable Microsoft Whiteboard on Surface Hub](https://support.office.com/article/enable-microsoft-whiteboard-on-surface-hub-b5df4539-f735-42ff-b22a-0f5e21be7627?ui=en-US&rs=en-US&ad=US).
The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board.
By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together. By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together.
![example of a whiteboard with collaborative inking](images/wb-collab-example.png) ![example of a whiteboard with collaborative inking](images/wb-collab-example.png)
## Prerequisites for Whiteboard to Whiteboard collaboration ## Prerequisites for Whiteboard to Whiteboard collaboration (Microsoft Whiteboard 2016)
To get Whiteboard to Whiteboard collaboration up and running, youll need to make sure your organization meets the following requirements: To get Whiteboard to Whiteboard collaboration up and running, youll need to make sure your organization meets the following requirements:
@ -36,7 +38,7 @@ To get Whiteboard to Whiteboard collaboration up and running, youll need to m
>[!NOTE] >[!NOTE]
>Collaborative sessions can only take place between users within the same tenant, so users outside of your organization wont be able to join even if they have a Surface Hub. >Collaborative sessions can only take place between users within the same tenant, so users outside of your organization wont be able to join even if they have a Surface Hub.
## Using Whiteboard to Whiteboard collaboration ## Using Whiteboard to Whiteboard collaboration (Microsoft Whiteboard 2016)
To start a collaboration session: To start a collaboration session:

3
mdop/uev-v1/index.md
View File

@ -13,6 +13,9 @@ ms.date: 04/19/2017
# Microsoft User Experience Virtualization (UE-V) 1.0 # Microsoft User Experience Virtualization (UE-V) 1.0
>[!NOTE]
>This documentation is a for version of UE-V that was included in the Microsoft Desktop Optimization Pack (MDOP). For information about the latest version of UE-V which is included in Windows 10 Enterprise, see [Get Started with UE-V](https://docs.microsoft.com/windows/configuration/ue-v/uev-getting-started).
Microsoft User Experience Virtualization (UE-V) captures and centralizes application settings and Windows operating system settings for the user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. Microsoft User Experience Virtualization (UE-V) captures and centralizes application settings and Windows operating system settings for the user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.

3
mdop/uev-v2/index.md
View File

@ -13,6 +13,9 @@ ms.date: 04/19/2017
# Microsoft User Experience Virtualization (UE-V) 2.x # Microsoft User Experience Virtualization (UE-V) 2.x
>[!NOTE]
>This documentation is a for version of UE-V that was included in the Microsoft Desktop Optimization Pack (MDOP). For information about the latest version of UE-V which is included in Windows 10 Enterprise, see [Get Started with UE-V](https://docs.microsoft.com/windows/configuration/ue-v/uev-getting-started).
Capture and centralize your users application settings and Windows OS settings by implementing Microsoft User Experience Virtualization (UE-V) 2.0 or 2.1. Then, apply these settings to the devices users access in your enterprise, like desktop computers, laptops, or virtual desktop infrastructure (VDI) sessions. Capture and centralize your users application settings and Windows OS settings by implementing Microsoft User Experience Virtualization (UE-V) 2.0 or 2.1. Then, apply these settings to the devices users access in your enterprise, like desktop computers, laptops, or virtual desktop infrastructure (VDI) sessions.

3
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -505,7 +505,7 @@ Provisioning packages can be applied to a device during the first-run experience
#### After setup, from a USB drive, network folder, or SharePoint site #### After setup, from a USB drive, network folder, or SharePoint site
1. Sign in with an admin account. 1. Sign in with an admin account.
2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
>[!NOTE] >[!NOTE]
>if your provisioning package doesnt include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. >if your provisioning package doesnt include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
@ -537,6 +537,7 @@ The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configu
## Considerations for Windows Mixed Reality immersive headsets ## Considerations for Windows Mixed Reality immersive headsets

5
windows/configuration/ue-v/uev-getting-started.md
View File

@ -14,6 +14,9 @@ ms.date: 03/08/2018
**Applies to** **Applies to**
- Windows 10, version 1607 - Windows 10, version 1607
>[!NOTE]
>This documentation is for the most recent version of UE-V. If you're looking for information about UE-V 2.x, which was included in the Microsoft Desktop Optimization Pack (MDOP), see [Get Started with UE-V 2.x](https://docs.microsoft.com/microsoft-desktop-optimization-pack/uev-v2/get-started-with-ue-v-2x-new-uevv2).
Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether its the right solution to manage user settings across multiple devices within your enterprise. Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether its the right solution to manage user settings across multiple devices within your enterprise.
>[!NOTE] >[!NOTE]
@ -150,7 +153,7 @@ Youre ready to run a few tests on your UE-V evaluation deployment to see how
## Have a suggestion for UE-V? ## Have a suggestion for UE-V?
Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).<br>For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
## Other resources for this feature ## Other resources for this feature

5
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -45,7 +45,10 @@ These steps assume that you have the MDT01 member server installed and configure
3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings: 3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
1. Deployment Tools 1. Deployment Tools
2. Windows Preinstallation Environment (Windows PE) 2. Windows Preinstallation Environment (Windows PE)
3. User State Migration Tool (UMST) 3. User State Migration Tool (USMT)
>[!IMPORTANT]
>Starting with Windows 10, version 1809, Windows PE is released separately from the AFK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information.
## <a href="" id="sec03"></a>Install MDT ## <a href="" id="sec03"></a>Install MDT

34
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -15,7 +15,7 @@ localizationpriority: medium
ms.date: 08/19/2018 ms.date: 08/19/2018
--- ---
# Windows Hello for Business Provisioning # Windows Hello for Business Provisioning
<span id="windows-hello-for-business-provisioning" />
**Applies to:** **Applies to:**
- Windows 10 - Windows 10
@ -24,14 +24,14 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
- The Windows Hello for Business deployment type - The Windows Hello for Business deployment type
- If the environment is managed or federated - If the environment is managed or federated
[Azure AD joined provisioning in a Managed environment](#Azure-AD-joined-provisioning-in-a-Managed-environment)<br> [Azure AD joined provisioning in a Managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)<br>
[Azure AD joined provisioning in a Federated environment](#Azure-AD-joined-provisioning-in-a-Federated-environment)<br> [Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)<br>
[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment](#Hybrid-Azure-AD-joined-provisioning-in-a-Key-Trust-deployment-in-a-Managed-envrionment)<br> [Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-Certificate-Trust-deployment-in-a-Managed-environment)<br> [Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Managed-environment)<br> [Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Federated-environment)<br> [Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)<br>
[Domain joined provisioning in an On-premises Key Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Key-Trust-deployment)<br> [Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)<br>
[Domain joined provisioning in an On-premises Certificate Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Certificate-Trust-deployment)<br> [Domain joined provisioning in an On-premises Certificate Trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)<br>
@ -45,7 +45,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.| |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Azure AD joined provisioning in a Federated environment ## Azure AD joined provisioning in a Federated environment
![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png) ![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png)
@ -55,7 +55,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).| |B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.| |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment
![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png) ![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png)
@ -71,7 +71,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment ## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment
![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png) ![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png)
@ -89,7 +89,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory. > The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment
![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png) ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png)
@ -106,7 +106,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow. > Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Fedeerated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png) ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Fedeerated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png)
@ -122,7 +122,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
> [!IMPORTANT] > [!IMPORTANT]
> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow. > Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Key Trust deployment ## Domain joined provisioning in an On-premises Key Trust deployment
![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png) ![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png)
@ -133,7 +133,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.| |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Certificate Trust deployment ## Domain joined provisioning in an On-premises Certificate Trust deployment
![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png) ![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png)
@ -147,4 +147,4 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.| |F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
|G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.| |G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.|
[Return to top](#Windows-Hello-for-Business-Provisioning) [Return to top](#windows-hello-for-business-provisioning)