deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 10:07:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
MaratMussabekov dbfaabe9b0
Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md 
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
2020-09-26 23:03:36 +05:00

2.9 KiB
Raw Blame History

title, description, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, audience, author, ms.author, manager, ms.collection, ms.topic, localizationpriority, ms.date, ms.reviewer
title description keywords ms.prod ms.mktglfcycl ms.sitesec ms.pagetype audience author ms.author manager ms.collection ms.topic localizationpriority ms.date ms.reviewer
Hybrid Windows Hello for Business - Directory Synchronization How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust w10 deploy library security, mobile ITPro mapalko mapalko dansimp M365-identity-device-management article medium 08/19/2018

Configure Hybrid Windows Hello for Business: Directory Synchronization

Applies to

  • Windows 10, version 1703 or later
  • Hybrid deployment
  • Key trust

Directory Synchronization

In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.

Group Memberships for the Azure AD Connect Service Account

Important

If you already have a Windows Server 2016 domain controller in your domain, you can skip Configure Permissions for Key Synchronization. For more detail see Configure Hybrid Windows Hello for Business: Directory Synchronization.

The KeyAdmins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.

Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.

  1. Open Active Directory Users and Computers.
  2. Click the Users container in the navigation pane.
  3. Right-click Key Admins in the details pane and click Properties.
  4. Click the Members tab and click Add
  5. In the Enter the object names to select text box, type the name of the service account used as an AD DS Connector account and click OK.
  6. Click OK to return to Active Directory Users and Computers.

Section Review

[!div class="checklist"]

  • Configure group membership for Azure AD Connect

[!div class="step-by-step"] < Configure Active Directory Configure PKI >

Follow the Windows Hello for Business hybrid key trust deployment guide

  1. Overview
  2. Prerequisites
  3. New Installation Baseline
  4. Configure Directory Synchronization
  5. Configure Azure Device Registration
  6. Configure Windows Hello for Business settings: Directory Synchronization (You are here)
  7. Sign-in and Provision