deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
Paolo Matarazzo 2a74e340ca updates
2022-11-21 11:18:34 -05:00

6.2 KiB
Raw Blame History

title, description, ms.date, appliesto, ms.topic
title description ms.date appliesto ms.topic
Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. 4/30/2021
<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
article

Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning

[!INCLUDE hello-hybrid-key-trust]

Provisioning

The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the User Device Registration in the Event Viewer under Applications and Services Logs\Microsoft\Windows.

Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result.

The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check Device is Azure Active Directory-joined (AADJ or DJ++): Yes appears. Additionally, you can validate this using the dsregcmd /status command from a console prompt where the value for AzureADJoined reads Yes.

Windows Hello for Business provisioning begins with a full screen page with the title Setup a PIN and button with the same name. The user clicks Setup a PIN.

Setup a PIN Provisioning.

The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.

MFA prompt during provisioning.

After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment.

Create a PIN during provisioning.

The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.

  • A successful single factor authentication (username and password at sign-in)
  • A device that has successfully completed device registration
  • A fresh, successful multi-factor authentication
  • A validated PIN that meets the PIN complexity requirements

The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. Azure Active Directory Connect synchronizes the user's key to the on-premises Active Directory.

Important

The following is the enrollment behavior prior to Windows Server 2016 update KB4088889 (14393.2155).

The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory. Once synchronized, the user can authenticate and use on-premises resources. Read Azure AD Connect sync: Scheduler to view and adjust the synchronization cycle for your organization.

[!NOTE] Windows Server 2016 update KB4088889 (14393.2155) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.

After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.

The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.

Note

In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.

The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current users certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.



Follow the Windows Hello for Business hybrid certificate trust deployment guide

  1. Overview
  2. Prerequisites
  3. New Installation Baseline
  4. Configure Azure Device Registration
  5. Configure Windows Hello for Business policy settings
  6. Sign-in and Provision (You are here)