deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-14 18:03:37 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
Files
f016fda65f77da103bb57ec4f5fbfd933e5eba14
windows-itpro-docs/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md
Paolo Matarazzo 2dbf84843f Updates
2024-06-23 08:50:25 -04:00

5.2 KiB
Raw Blame History

ms.date, ms.topic
ms.date ms.topic
01/03/2024 include

Configure a Windows Hello for Business authentication certificate template

During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template.

Sign in to a CA or management workstations with Domain Administrator equivalent credentials.

  1. Open the Certification Authority management console

  2. Right-click Certificate Templates and select Manage

  3. In the Certificate Template Console, right-click the Smartcard Logon template and select Duplicate Template

  4. Use the following table to configure the template:

    Tab Name Configurations
    Compatibility
    • Clear the Show resulting changes check box
    • Select Windows Server 2016 from the Certification Authority list
    • Select Windows 10 / Windows Server 2016 from the Certification Recipient list
    General
    • Specify a Template display name, for example WHFB Authentication
    • Set the validity period to the desired value
    • Take note of the template name for later, which should be the same as the Template display name minus spaces
    Subject Name
    • Select Build from this Active Directory information
    • Select Fully distinguished name from the Subject name format list
    • Select the User Principal Name (UPN) check box under Include this information in alternative subject name
    Cryptography
    • Set the Provider Category to Key Storage Provider
    • Set the Algorithm name to RSA
    • Set the minimum key size to 2048
    • Set the Request hash to SHA256
    Extensions Verify the Application Policies extension includes Smart Card Logon
    Issuance Requirements
    • Select the This number of authorized signatures check box. Type 1 in the text box
    • Select Application policy from the Policy type required in signature
    • Select Certificate Request Agent from in the Application policy list
    • Select the Valid existing certificate option
    Request Handling Select the Renew with same key check box
    Security
    • Select Add
    • Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called Window Hello for Business Users, type it in the Enter the object names to select text box and select OK
    • Select the Windows Hello for Business Users from the Group or users names list. In the Permissions for Windows Hello for Business Users section:
      • Select the Allow check box for the Enroll permission
      • Excluding the group above (for example, Window Hello for Business Users), clear the Allow check box for the Enroll and Autoenroll permissions for all other entries in the Group or users names section if the check boxes aren't already cleared
    • Select OK

  5. Select OK to finalize your changes and create the new template

  6. Close the console

Mark the template as the Windows Hello Sign-in template

Sign in to a CA or management workstations with Enterprise Administrator equivalent credentials

Open an elevated command prompt end execute the following command

certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY

If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY parameter. Example:

CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication

Old Value:
msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
TEMPLATE_SERVER_VER_WINBLUE<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 50000 (327680)
TEMPLATE_CLIENT_VER_WINBLUE<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 5000000 (83886080)

New Value:
msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040)
CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
TEMPLATE_SERVER_VER_WINBLUE<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 50000 (327680)
CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152)
TEMPLATE_CLIENT_VER_WINBLUE<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 5000000 (83886080)
CertUtil: -dsTemplate command completed successfully."

Note

If you gave your Windows Hello for Business Authentication certificate template a different name, then replace WHFBAuthentication in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the General tab of the certificate template using the Certificate Template management console (certtmpl.msc).