deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 01:57:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
Nicholas Brower 1ae3f0b230 Merged PR 4822: "msdate update (generated from most recent commit date)" 
"msdate update (generated from most recent commit date)"
2017-12-05 22:36:05 +00:00

2.7 KiB
Raw Blame History

title, description, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author, ms.localizationpriority, ms.author, ms.date
title description keywords ms.prod ms.mktglfcycl ms.sitesec ms.pagetype author ms.localizationpriority ms.author ms.date
Validate Active Directory prerequisites (Windows Hello for Business) How to Validate Active Directory prerequisites for Windows Hello for Business identity, PIN, biometric, Hello, passport w10 deploy library security, mobile DaniHalfin high daniha 10/23/2017

Validate Active Directory prerequisites

Applies to

  • Windows 10

This guide only applies to Windows 10, version 1703 or higher.

Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the Windows Hello for Business planning guide, the Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments section.

The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.

Create the Windows Hello for Business Users Security Global Group

The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.

Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.

  1. Open Active Directory Users and Computers.
  2. Click View and click Advanced Features.
  3. Expand the domain node from the navigation pane.
  4. Right-click the Users container. Click New. Click Group.
  5. Type Windows Hello for Business Users in the Group Name text box.
  6. Click OK.

Follow the Windows Hello for Business on premises certificate trust deployment guide

  1. Validate Active Directory prerequisites (You are here)
  2. Validate and Configure Public Key Infrastructure
  3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services
  4. Validate and Deploy Multifactor Authentication Services (MFA)
  5. Configure Windows Hello for Business Policy settings