minor fixes to hybrid cert trust deployment guide

Added "PIN caching" entry in FAQ
2025-05-13 13:57:22 +00:00 · 2017-09-04 15:58:10 -07:00 · 2017-09-04 15:58:10 -07:00 · ff22840df0
commit ff22840df0
parent c3eef8edd2
4 changed files with 27 additions and 12 deletions
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@ -60,8 +60,6 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
 ### Section Review

 > [!div class="checklist"]
-> * Identify the schema role domain controller 
-> * Update the Active Directory Schema to Windows Server 2016
 > * Create the KeyCredential Admins Security group (optional)
 > * Create the Windows Hello for Business Users group

--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@ -52,21 +52,17 @@ This warning indicates that you have not configured multi-factor authentication

 ### Group Memberships for the AD FS Service Account

-The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration.  The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
+The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.

 Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.

 1. Open **Active Directory Users and Computers**.
 2. Click the **Users** container in the navigation pane.
-3. Right-click **KeyCredential Admins** in the details pane and click **Properties**.
+3. Right-click **Windows Hello for Business Users** group
 4. Click the **Members** tab and click **Add**
 5. In the **Enter the object names to select** text box, type **adfssvc**.  Click **OK**.
-6. Click **OK** to return to **Active Directory Users and Computers**.
-7. Right-click **Windows Hello for Business Users** group
-8. Click the **Members** tab and click **Add**
-9. In the **Enter the object names to select** text box, type **adfssvc**.  Click **OK**.
-10.	Click **OK** to return to **Active Directory Users and Computers**.
-11.	Change to server hosting the AD FS role and restart it.
+6.	Click **OK** to return to **Active Directory Users and Computers**.
+7.	Restart the AD FS server.

 ### Section Review
 > [!div class="checklist"]
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@ -29,7 +29,7 @@ In hybrid deployments, users register the public portion of their Windows Hello
 The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.

 > [!IMPORTANT]
-> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Configure Permissions for Key Synchronization**.
+> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**.

 ### Configure Permissions for Key Syncrhonization

@ -45,10 +45,28 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
 8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**.
 9. Click **OK** three times to complete the task. 

+
+### Group Memberships for the Azure AD Connect Service Account
+
+The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.  
+
+Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
+
+1. Open **Active Directory Users and Computers**.
+2. Click the **Users** container in the navigation pane.
+>[!IMPORTANT]
+> If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created.
+
+3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**.
+4. Click the **Members** tab and click **Add**
+5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account.  Click **OK**.
+6. Click **OK** to return to **Active Directory Users and Computers**.
+
 ### Section Review

 > [!div class="checklist"]
 > * Configure Permissions for Key Synchronization
+> * Configure group membership for Azure AD Connect

 >[!div class="step-by-step"]
 [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
--- a/windows/access-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/access-protection/hello-for-business/hello-identity-verification.md
@ -78,7 +78,7 @@ There are many deployment options from which to choose. Some of those options re
 Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you.  Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".

 ### Can I use PIN and biometrics to unlock my device?
-No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the device with multiple factors.
+No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the desktop with additional factors.

 ### What is the difference between Windows Hello and Windows Hello for Business
 Windows Hello represents the biometric framework provided in Windows 10.  Windows Hello enables users to use biometrics to sign into their devices by securely storing their username and password and releasing it for authentication when the user successfully identifies themselves using biometrics.  Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
@ -98,3 +98,6 @@ Windows Hello for Business can work with any third-party federation servers that

 ### Does Windows Hello for Business work with Mac and Linux clients?
 Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms.  However, Microsoft is open to third parties who are interested in moving these platforms away from passwords.  Interested third parties can inqury at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
+
+### How does PIN caching work with Windows Hello for Business?
+Windows Hello for Business securely caches the key rather than the PIN using a ticketing system.  Azure AD and Active Directory sign-in keys are cached under lock.  This means the keys remain available for use without prompting as long as the user is interactively signed-in.  Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.  Windows 10 does not provide any Group Policy settings to adjust this caching.