deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

pull from pm-20240206-docfx

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-02-06 09:52:21 -05:00
commit 043a77919d
62 changed files with 687 additions and 357 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.openpublishing.redirection.windows-configuration.json
View File

@ -487,7 +487,7 @@
},
{
"source_path": "windows/configuration/lockdown-features-windows-10.md",
"redirect_url": "/windows/configuration/kiosk/lockdown-features-windows-10",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/kiosk/lockdown-features-windows-10",
"redirect_document_id": false
},
{
@ -574,6 +574,16 @@
"source_path": "windows/configuration/windows-spotlight.md",
"redirect_url": "/windows/configuration/lock-screen/windows-spotlight",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/lockdown-features-windows-10.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/kiosk/lockdown-features-windows-10",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md",
"redirect_url": "/windows/configuration/kiosk/find-aumid",
"redirect_document_id": false
}
]
}

11
education/windows/edu-stickers.md
View File

@ -36,7 +36,6 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
> [!TIP]
> Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup>
@ -52,14 +51,13 @@ Content-Type: application/json
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
[!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)]
| Setting |
|--------|
| <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>|
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
[!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)]
---
## How to use Stickers
@ -76,8 +74,3 @@ Multiple stickers can be added from the picker by selecting them. The stickers c
:::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true":::
Select the *X button* at the top of the screen to save your progress and close the sticker editor.
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

20
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -68,7 +68,6 @@ To configure devices using Intune for Education, follow these steps:
:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -85,7 +84,7 @@ Create a provisioning package using the Set up School PCs app, configuring the s
### Create a provisioning package using Windows Configuration Designer
[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings:
[!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)]
| Setting |
|--------|
@ -99,22 +98,11 @@ Create a provisioning package using the Set up School PCs app, configuring the s
:::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true":::
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
[!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
> [!TIP]
> PowerShell scripts can be executed as scheduled tasks via Group Policy.
> [!IMPORTANT]
> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
>
> To test a PowerShell script, you can:
> 1. [Download the psexec tool](/sysinternals/downloads/psexec)
> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
> 1. Run the script in the PowerShell session
[!INCLUDE [powershell-wmi-bridge-1](../../includes/configure/powershell-wmi-bridge-1.md)]
Edit the following sample PowerShell script to:
@ -171,6 +159,8 @@ $cimObject.HideFastUserSwitching = 1
Set-CimInstance -CimInstance $cimObject
```
[!INCLUDE [powershell-wmi-bridge-2](../../includes/configure/powershell-wmi-bridge-2.md)]
#### [:::image type="icon" source="images/icons/settings.svg"::: **Settings app**](#tab/settings)
To create a local account, and configure Take a Test in kiosk mode using the Settings app:

BIN
images/insider.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

9
includes/configure/intune-custom-settings-1.md
View File

@ -6,11 +6,4 @@ ms.topic: include
ms.service: windows-client
---
To configure devices with Microsoft Intune, use a custom policy:
1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
2. Select **Devices > Configuration profiles > Create profile**
3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
4. Select **Create**
5. Specify a **Name** and, optionally, a **Description > Next**
6. Add the following settings:
To configure devices with Microsoft Intune, [create a custom policy](/mem/intune/configuration/custom-settings-windows-10) and use the following settings:

5
includes/configure/intune-custom-settings-2.md
View File

@ -6,7 +6,4 @@ ms.topic: include
ms.service: windows-client
---
7. Select **Next**
8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
9. Under **Applicability Rules**, select **Next**
10. Review the policy configuration and select **Create**
Assign the policy to a group that contains as members the devices or users that you want to configure.

9
includes/configure/intune-custom-settings-info.md
View File

@ -1,9 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
ms.service: windows-client
---
For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).

18
includes/configure/powershell-wmi-bridge-1.md Normal file
View File

@ -0,0 +1,18 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/12/2023
ms.topic: include
ms.prod: windows-client
---
Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
> [!IMPORTANT]
> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
To test the PowerShell script, you can:
1. [Download the psexec tool](/sysinternals/downloads/psexec)
1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
1. Run the script in the PowerShell session

9
includes/configure/powershell-wmi-bridge-2.md Normal file
View File

@ -0,0 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/12/2023
ms.topic: include
ms.prod: windows-client
---
For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).

2
includes/insider/insider-note.md
View File

@ -7,7 +7,7 @@ ms.date: 01/11/2024
:::row:::
:::column span="1":::
:::image type="content" source="insider.png" alt-text="Logo of Windows Insider." border="false":::
:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false":::
:::column-end:::
:::column span="3":::
> [!IMPORTANT]

88
windows/configuration/images/icons/explorer.svg Normal file
View File

@ -0,0 +1,88 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_37_2817)">
<path d="M17.116 3H7.14404L6.4748 2.16348C6.30918 1.95645 6.09912 1.78933 5.86016 1.67448C5.62121 1.55963 5.35948 1.5 5.09436 1.5H0.89175C0.657331 1.50001 0.432516 1.59314 0.266759 1.7589C0.101002 1.92466 0.00787898 2.14948 0.007875 2.3839V3H0V15.6272C0.00147129 15.8601 0.0954272 16.083 0.261198 16.2466C0.42697 16.4103 0.650977 16.5015 0.883943 16.5H17.116C17.349 16.5015 17.573 16.4103 17.7388 16.2466C17.9046 16.0829 17.9985 15.8601 18 15.6272V3.87282C17.9985 3.63986 17.9045 3.41704 17.7388 3.25335C17.573 3.08967 17.349 2.99854 17.116 3Z" fill="url(#paint0_linear_37_2817)"/>
<mask id="mask0_37_2817" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="0" y="1" width="18" height="16">
<path d="M17.116 3H7.14404L6.4748 2.16348C6.30918 1.95645 6.09912 1.78933 5.86016 1.67448C5.62121 1.55963 5.35948 1.5 5.09436 1.5H0.89175C0.657331 1.50001 0.432516 1.59314 0.266759 1.7589C0.101002 1.92466 0.00787898 2.14948 0.007875 2.3839V3H0V15.6272C0.00147129 15.8601 0.0954272 16.083 0.261198 16.2466C0.42697 16.4103 0.650977 16.5015 0.883943 16.5H17.116C17.349 16.5015 17.573 16.4103 17.7388 16.2466C17.9046 16.0829 17.9985 15.8601 18 15.6272V3.87282C17.9985 3.63986 17.9045 3.41704 17.7388 3.25335C17.573 3.08967 17.349 2.99854 17.116 3Z" fill="url(#paint1_linear_37_2817)"/>
</mask>
<g mask="url(#mask0_37_2817)">
<g filter="url(#filter0_dd_37_2817)">
<path d="M15.375 4.5H1.125C0.50368 4.5 0 5.00368 0 5.625V8.625C0 9.24632 0.50368 9.75 1.125 9.75H15.375C15.9963 9.75 16.5 9.24632 16.5 8.625V5.625C16.5 5.00368 15.9963 4.5 15.375 4.5Z" fill="#C4C4C4"/>
</g>
</g>
<path d="M7.72545 3.75004C7.43133 3.74413 7.1429 3.83149 6.9015 3.99961C6.45374 4.32633 5.91378 4.50239 5.3595 4.50238H0.883928C0.649495 4.50238 0.424665 4.59551 0.258896 4.76128C0.0931278 4.92705 0 5.15188 0 5.38631L0 16.3662C1.98897e-05 16.6006 0.0931558 16.8254 0.258922 16.9912C0.424687 17.1569 0.649506 17.25 0.883928 17.25H17.116C17.3505 17.25 17.5753 17.1569 17.7411 16.9912C17.9068 16.8254 18 16.6006 18 16.3662V4.63396C18 4.51788 17.9771 4.40294 17.9327 4.2957C17.8883 4.18845 17.8232 4.09101 17.7411 4.00893C17.659 3.92684 17.5616 3.86174 17.4543 3.81732C17.3471 3.7729 17.2321 3.75003 17.116 3.75004H7.72545Z" fill="url(#paint2_linear_37_2817)"/>
<path opacity="0.3" d="M17.1161 3.75076H7.72883C7.44177 3.74115 7.15906 3.82284 6.92137 3.98408C6.43763 4.34022 5.84803 4.52305 5.24767 4.50308H0.883943C0.767861 4.50308 0.652915 4.52594 0.54567 4.57037C0.438425 4.61479 0.340979 4.6799 0.258898 4.76199C0.176816 4.84407 0.111706 4.94152 0.0672838 5.04876C0.0228621 5.15601 -9.84791e-07 5.27095 1.27287e-10 5.38703L1.27287e-10 6.13703C-1.96976e-06 6.02095 0.0228605 5.90601 0.0672821 5.79876C0.111704 5.69152 0.176814 5.59407 0.258896 5.51199C0.340978 5.42991 0.438424 5.3648 0.54567 5.32037C0.652916 5.27595 0.767861 5.25309 0.883943 5.25309H5.37891C6.01545 5.25927 6.63978 5.07825 7.17428 4.73251C7.4098 4.57627 7.6873 4.49544 7.96988 4.50076H17.116C17.2321 4.50075 17.3471 4.5236 17.4543 4.56802C17.5616 4.61243 17.659 4.67754 17.7411 4.75962C17.8232 4.8417 17.8883 4.93914 17.9327 5.04639C17.9771 5.15363 18 5.26858 18 5.38466V4.63466C18 4.51858 17.9771 4.40364 17.9327 4.2964C17.8883 4.18916 17.8232 4.09172 17.7411 4.00964C17.6591 3.92756 17.5616 3.86246 17.4544 3.81804C17.3471 3.77362 17.2322 3.75076 17.1161 3.75076V3.75076Z" fill="url(#paint3_linear_37_2817)"/>
<mask id="mask1_37_2817" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="0" y="3" width="18" height="15">
<path d="M7.72545 3.75004C7.43133 3.74413 7.1429 3.83149 6.9015 3.99961C6.45374 4.32633 5.91378 4.50239 5.3595 4.50238H0.883928C0.649495 4.50238 0.424665 4.59551 0.258896 4.76128C0.0931278 4.92705 0 5.15188 0 5.38631L0 16.3662C1.98897e-05 16.6006 0.0931558 16.8254 0.258922 16.9912C0.424687 17.1569 0.649506 17.25 0.883928 17.25H17.116C17.3505 17.25 17.5753 17.1569 17.7411 16.9912C17.9068 16.8254 18 16.6006 18 16.3662V4.63396C18 4.51788 17.9771 4.40294 17.9327 4.2957C17.8883 4.18845 17.8232 4.09101 17.7411 4.00893C17.659 3.92684 17.5616 3.86174 17.4543 3.81732C17.3471 3.7729 17.2321 3.75003 17.116 3.75004H7.72545Z" fill="url(#paint4_linear_37_2817)"/>
</mask>
<g mask="url(#mask1_37_2817)">
<g filter="url(#filter1_dd_37_2817)">
<path d="M5.25 12H12.75C13.3467 12 13.919 12.2371 14.341 12.659C14.7629 13.081 15 13.6533 15 14.25V17.25H3V14.25C3 13.6533 3.23705 13.081 3.65901 12.659C4.08097 12.2371 4.65326 12 5.25 12V12Z" fill="url(#paint5_linear_37_2817)"/>
</g>
</g>
<path d="M5.25 12H12.75C13.3467 12 13.919 12.2371 14.341 12.659C14.7629 13.081 15 13.6533 15 14.25V17.25H3V14.25C3 13.6533 3.23705 13.081 3.65901 12.659C4.08097 12.2371 4.65326 12 5.25 12V12Z" fill="url(#paint6_linear_37_2817)"/>
<path d="M12.375 14.25H5.625C5.41789 14.25 5.25 14.4179 5.25 14.625C5.25 14.8321 5.41789 15 5.625 15H12.375C12.5821 15 12.75 14.8321 12.75 14.625C12.75 14.4179 12.5821 14.25 12.375 14.25Z" fill="#114A8B"/>
</g>
<defs>
<filter id="filter0_dd_37_2817" x="-1.5" y="3" width="19.5" height="8.25" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="0.25"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_37_2817"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="0.75"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_37_2817" result="effect2_dropShadow_37_2817"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_37_2817" result="shape"/>
</filter>
<filter id="filter1_dd_37_2817" x="1.5" y="10.5" width="15" height="8.25" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="0.25"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_37_2817"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="0.75"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_37_2817" result="effect2_dropShadow_37_2817"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_37_2817" result="shape"/>
</filter>
<linearGradient id="paint0_linear_37_2817" x1="13.1828" y1="16.9947" x2="4.5833" y2="2.10007" gradientUnits="userSpaceOnUse">
<stop offset="0.1135" stop-color="#D18B00"/>
<stop offset="0.6162" stop-color="#E09F00"/>
</linearGradient>
<linearGradient id="paint1_linear_37_2817" x1="13.1828" y1="16.9947" x2="4.5833" y2="2.10007" gradientUnits="userSpaceOnUse">
<stop offset="0.1135" stop-color="#D18B00"/>
<stop offset="0.6162" stop-color="#E09F00"/>
</linearGradient>
<linearGradient id="paint2_linear_37_2817" x1="13.9722" y1="19.1122" x2="4.62611" y2="2.92425" gradientUnits="userSpaceOnUse">
<stop stop-color="#F5B300"/>
<stop offset="0.5" stop-color="#FFCB3C"/>
<stop offset="1" stop-color="#FFD762"/>
</linearGradient>
<linearGradient id="paint3_linear_37_2817" x1="1.27287e-10" y1="4.94352" x2="18" y2="4.94352" gradientUnits="userSpaceOnUse">
<stop stop-color="white"/>
<stop offset="1" stop-color="white" stop-opacity="0"/>
</linearGradient>
<linearGradient id="paint4_linear_37_2817" x1="13.9722" y1="19.1122" x2="4.62611" y2="2.92425" gradientUnits="userSpaceOnUse">
<stop stop-color="#F5B300"/>
<stop offset="0.5" stop-color="#FFCB3C"/>
<stop offset="1" stop-color="#FFD762"/>
</linearGradient>
<linearGradient id="paint5_linear_37_2817" x1="10.7628" y1="18.5014" x2="6.59164" y2="11.2768" gradientUnits="userSpaceOnUse">
<stop stop-color="#0062B4"/>
<stop offset="1" stop-color="#1493DF"/>
</linearGradient>
<linearGradient id="paint6_linear_37_2817" x1="10.7628" y1="18.5014" x2="6.59164" y2="11.2768" gradientUnits="userSpaceOnUse">
<stop stop-color="#0062B4"/>
<stop offset="1" stop-color="#1493DF"/>
</linearGradient>
<clipPath id="clip0_37_2817">
<rect width="18" height="18" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 8.5 KiB

9
windows/configuration/images/icons/registry.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

65
windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md → windows/configuration/kiosk/find-aumid.md
View File

@ -1,15 +1,24 @@
---
title: Find the Application User Model ID of an installed app
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
ms.topic: article
ms.date: 12/31/2017
description: Learn how to find the Application User Model ID (AUMID) of the appications installed on a Windows device.
ms.topic: how-to
ms.date: 02/05/2023
---
# Find the Application User Model ID of an installed app
To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry.
Windows uses Application User Model Id (AUMID, also known as AppId) values to identify and differentiate applications for switching, launching, telemetry, and other functions.\
AUMID are unique to each installed application, and independent of the installation path or the application's display name.
## To find the AUMID by using Windows PowerShell
To configure Assigned Access, you must use the AUMID of the apps installed on a device. This article describes how to find the AUMID of an installed app.
## How to find the AUMID
You can find an application's AUMID by using Windows PowerShell, File Explorer, or the registry.
Follow the instructions to retrieve AUMIDs, selecting the tool of your choice.
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command:
@ -36,17 +45,49 @@ $aumidList
You can add the `-user <username>` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters.
## To find the AUMID by using File Explorer
<!-- new
In PowerShell Get-StartApps will list the AUMID values for apps that appear in the start menu (those that are hidden don't appear).
```powershell
$apps = Get-AppxPackage *calc* # remove param to see *all*
foreach ($app in $apps) {
$man = Get-AppxPackageManifest $app
$appIds = $man.Package.Applications.Application.Id
foreach ($id in $appIds) {
"$($app.PackageFamilyName)!$id"
}
}
```
Powershell to display the AppId for the calc application (a packaged UWP App).
```powershell
$apps = Get-AppxPackage *calc* # remove param to see *all*
foreach ($app in $apps) {
$man = Get-AppxPackageManifest $app
$appIds = $man.Package.Applications.Application.Id
foreach ($id in $appIds) {
"$($app.PackageFamilyName)!$id"
}
}
```
-->
#### [:::image type="icon" source="../images/icons/explorer.svg"::: **Explorer**](#tab/explorer)
Start.Run… shell:appsfolder to open File Explorer on the AppsFolder.
To get the names and AUMIDs for all apps installed for the current user, perform the following steps:
1. Open **Run**, enter **shell:Appsfolder**, and select **OK**.
1. A File Explorer window opens. Press **Alt** > **View** > **Choose details**.
1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
1. Select **Start** > **Run**, enter `shell:Appsfolder`, and select **OK**
1. A File Explorer window opens. Press <kbd>Alt</kbd>+<kbd>V</kbd> > **Choose details**
1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to c
1. Change the **View** setting from **Tiles** to **Details**
![Image of the Choose Details options.](images/aumid-file-explorer.png)
:::image type="content" source="images/aumid-file-explorer.png" alt-text="Screenshot of the File Explorer showing the AUMID details." border="false":::
## To find the AUMID of an installed app for the current user by using the registry
#### [:::image type="icon" source="../images/icons/registry.svg"::: **Registry**](#tab/registry)
Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.
@ -56,6 +97,8 @@ At a command prompt, type the following command:
reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"
```
---
### Example to get AUMIDs of the installed apps for the specified user
The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user.

BIN
windows/configuration/kiosk/images/aumid-file-explorer.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 418 KiB

BIN
windows/configuration/kiosk/images/quickstart-restricted-experience.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 837 KiB

BIN
windows/configuration/kiosk/images/vm-kiosk-connect.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/configuration/kiosk/images/vm-kiosk.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

59
windows/configuration/kiosk/includes/quickstart-restricted-experience-xml.md Normal file
View File

@ -0,0 +1,59 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/05/2024
ms.topic: include
ms.prod: windows-client
---
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"
xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads"/>
<v3:AllowRemovableDrives/>
</rs5:FileExplorerNamespaceRestrictions>
<win11:StartPins>
<![CDATA[{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
]
}]]>
</win11:StartPins>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="Library Kiosk"/>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```

29
windows/configuration/kiosk/kiosk-prepare.md
View File

@ -250,7 +250,7 @@ The following table describes some features that have interoperability issues we
| <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Esc</kbd> | Cycle through items in the reverse order from which they were opened. |
| <kbd>Ctrl</kbd> + <kbd>Esc</kbd> | Open the Start screen. |
| <kbd>Ctrl</kbd> + <kbd>F4</kbd> | Close the window. |
| <kbd>Ctrl</kbd> + <kbd>Shift</kbd + <kbd>Esc</kbd> | Open Task Manager. |
| <kbd>Ctrl</kbd> + <kbd>Shift</kbd> + <kbd>Esc</kbd> | Open Task Manager. |
| <kbd>Ctrl</kbd> + <kbd>Tab</kbd> | Switch windows within the application currently open. |
| LaunchApp1 | Open the app that is assigned to this key. |
| LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator. |
@ -260,16 +260,16 @@ The following table describes some features that have interoperability issues we
Keyboard Filter settings apply to other standard accounts.
- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access.
For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access.
For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).
[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education
- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access
For more information on removing the power button or disabling the physical power button, see [Custom Logon][WHW-1]
- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access
For more information, see [Unified Write Filter][WHW-2]
- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess).
- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
If you need to use assigned access API, see [WEDL_AssignedAccess][WHW-3]
- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own
For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
For more information, see [Custom Logon][WHW-1].
## Testing your kiosk in a virtual machine (VM)
@ -277,10 +277,13 @@ Customers sometimes use virtual machines (VMs) to test configurations before dep
A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V.
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session.
> [!NOTE]
> When you connect to a VM configured as a single-app kiosk, you must use a *basic session* rather than an *enhanced session*. For more information, see [Check session type][VIR-1].
:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
<!--links-->
To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog:
[VIR-1]: /virtualization/hyper-v-on-windows/user-guide/enhanced-session-mode#check-session-type
[WHW-1]: /windows-hardware/customize/enterprise/custom-logon
[WHW-2]: /windows-hardware/customize/enterprise/unified-write-filter
[WHW-3]: /windows-hardware/customize/enterprise/wedl-assignedaccess
:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session.":::

2
windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
View File

@ -2,6 +2,8 @@
title: Set up a multi-app kiosk on Windows 11
description: Learn how to configure a kiosk device running Windows 11 so that users can only run a few specific apps.
ms.date: 05/12/2023
appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
ms.topic: how-to
---

28
windows/configuration/kiosk/lockdown-features-windows-10.md
View File

@ -1,28 +0,0 @@
---
title: Lockdown features from Windows Embedded 8.1 Industry
description: Many of the lockdown feature available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
ms.topic: article
appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Lockdown features from Windows Embedded 8.1 Industry
Many of the lockdown feature available in Windows Embedded 8.1 Industry have been modified in some form for Windows 1. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
|Windows Embedded 8.1 Industry lockdown feature|Windows 10 feature|Changes|
|--- |--- |--- |
|[Hibernate Once/Resume Many (HORM)](/previous-versions/windows/embedded/dn449302(v=winembedded.82)): Quick boot to device|[HORM](/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)|HORM is supported in Windows 10, version 1607 and later.|
|[Unified Write Filter](/previous-versions/windows/embedded/dn449332(v=winembedded.82)): protect a device's physical storage media|[Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter)|The Unified Write Filter is continued in Windows 10.|
|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 151. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.|
|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 1. It's now configurable in Windows ICD under the **SMISettings** category.<br>Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.|
|[Application Launcher](/previous-versions/windows/embedded/dn449251(v=winembedded.82)): launch a Universal Windows Platform (UWP) app on sign-on|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.|
|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 1. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.<li>Control over which processes are able to run will now be provided by AppLocker.<li>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.|
|[Toast Notification Filter](/previous-versions/windows/embedded/dn449360(v=winembedded.82)): suppress toast notifications|Mobile device management (MDM) and Group Policy|Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of noncritical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.<br>Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications**<br>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Allow action center notifications** and a [custom OMA-URI setting](/mem/intune/configuration/custom-settings-windows-10) for **AboveLock/AllowActionCenterNotifications**.|
|[Embedded Lockdown Manager](/previous-versions/windows/embedded/dn449279(v=winembedded.82)): configure lockdown features|[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd)|The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.|
|[USB Filter](/previous-versions/windows/embedded/dn449350(v=winembedded.82)): restrict USB devices and peripherals on system|MDM and Group Policy|The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.<br> <br> Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Device Installation Restrictions**<br>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Removable storage**.|
|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 1. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and noncritical system notifications, but it also applied some of these limitations to other accounts on the device.<br>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.<br><br>Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.|
|[Gesture Filter](/previous-versions/windows/embedded/dn449374(v=winembedded.82)): block swipes from top, left, and right edges of screen|MDM and Group Policy|In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](/windows/client-management/mdm/policy-configuration-service-provider#LockDown_AllowEdgeSwipe) policy.|
|[Custom sign in](/previous-versions/windows/embedded/dn449309(v=winembedded.82)): suppress Windows UI elements during Windows sign-on, sign out, and shut down|[Embedded sign in](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.|
|[Unbranded Boot](/previous-versions/windows/embedded/dn449249(v=winembedded.82)): custom brand a device by removing or replacing Windows boot UI elements|[Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.|

176
windows/configuration/kiosk/quickstart-restricted-experience.md Normal file
View File

@ -0,0 +1,176 @@
---
title: "Quickstart: Configure a restricted user experience"
description: Learn how to configure a restricted user experience using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
ms.topic: quickstart
ms.date: 02/05/2024
appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
---
# Quickstart: Configure a restricted user experience
With a *restricted user experience*, you can control the applications allowed in a locked down Windows desktop.
This quickstart provides practical examples of how to configure a restricted user experience on Windows 11. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows.
## Prerequisites
>[!div class="checklist"]
>Here's a list of requirements to complete this quickstart:
>
>- A Windows 11 device
>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
>- Windows Configuration Designer, if you want to configure the settings using a provisioning package
>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell
## Configure a restricted user experience
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!TIP]
> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
>
> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example", "description": "Collection of settings for Assigned Access", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<AssignedAccessConfiguration xmlns=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n xmlns:rs5=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n xmlns:v2=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n xmlns:v3=\"http://schemas.microsoft.com/AssignedAccess/2020/config\"\n xmlns:v5=\"http://schemas.microsoft.com/AssignedAccess/2022/config\"\n xmlns:win11=\"http://schemas.microsoft.com/AssignedAccess/2022/config\"\n >\n <Profiles>\n <Profile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\">\n <AllAppsList>\n <AllowedApps>\n <App AppUserModelId=\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\" />\n <App AppUserModelId=\"Microsoft.BingWeather_8wekyb3d8bbwe!App\" />\n <App DesktopAppPath=\"C:\\Windows\\system32\\cmd.exe\" />\n <App DesktopAppPath=\"%windir%\\System32\\WindowsPowerShell\\v1.0\\Powershell.exe\" />\n <App DesktopAppPath=\"%windir%\\explorer.exe\" />\n <App AppUserModelId=\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\" />\n <App AppUserModelId=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe\" />\n </AllowedApps>\n </AllAppsList>\n <rs5:FileExplorerNamespaceRestrictions>\n <rs5:AllowedNamespace Name=\"Downloads\"/>\n <v3:AllowRemovableDrives/>\n </rs5:FileExplorerNamespaceRestrictions>\n <win11:StartPins>\n <![CDATA[{\n \"pinnedList\":[\n {\"packagedAppId\":\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\"},\n {\"packagedAppId\":\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\"},\n {\"packagedAppId\":\"Microsoft.BingWeather_8wekyb3d8bbwe!App\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\System Tools\\\\Command Prompt.lnk\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Windows PowerShell\\\\Windows PowerShell.lnk\"},\n {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\File Explorer.lnk\"},\n {\"packagedAppId\": \"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\"},\n {\"desktopAppLink\": \"%ALLUSERSPROFILE%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Microsoft Edge.lnk\"}\n ]\n }]]>\n </win11:StartPins>\n <Taskbar ShowTaskbar=\"true\"/>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount rs5:DisplayName=\"Library Kiosk\"/>\n <DefaultProfile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\"/>\n </Config>\n </Configs>\n</AssignedAccessConfiguration>" } ] }
```
[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
- **Value:**
[!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)]
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
- **Value:**
[!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)]
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
```powershell
$eventLogFilterHashTable = @{
ProviderName = "Microsoft-Windows-AssignedAccess";
StartTime = Get-Date -Millisecond 0
}
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"
xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
<App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads"/>
<v3:AllowRemovableDrives/>
</rs5:FileExplorerNamespaceRestrictions>
<win11:StartPins>
<![CDATA[{
"pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
{"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
{"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
]
}]]>
</win11:StartPins>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="Library Kiosk"/>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
Exit 1
}
Write-Output "Successfully applied Assigned Access configuration"
```
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
---
## User experience
After the settings are applied, reboot the device. A user account named `Library Kiosk` is automatically signed in, with access to a limited set of applications, which are pinned to the Start menu.
:::image type="content" source="images/quickstart-restricted-experience.png" alt-text="Screenshot of the Windows desktop used for the quickstart." border="false":::
## Next steps
> [!div class="nextstepaction"]
> Learn more how to configure Windows to execute as a restricted user experience:
>
> [Configure a restricted user experience](lock-down-windows-11-to-specific-apps.md)
<!--links-->
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

64
windows/configuration/kiosk/toc.yml
View File

@ -1,37 +1,47 @@
items:
- name: Overview
href: kiosk-methods.md
- name: Prepare a device for kiosk configuration
href: kiosk-prepare.md
- name: Set up digital signs
href: setup-digital-signage.md
- name: Set up a single-app kiosk
href: kiosk-single-app.md
- name: Set up a multi-app kiosk for Windows 10
href: lock-down-windows-10-to-specific-apps.md
- name: Set up a multi-app kiosk for Windows 11
href: lock-down-windows-11-to-specific-apps.md
- name: Kiosk reference information
- name: Quickstarts
items:
- name: More kiosk methods and reference information
href: kiosk-additional-reference.md
- name: Find the Application User Model ID of an installed app
href: find-the-application-user-model-id-of-an-installed-app.md
- name: Validate your kiosk configuration
href: kiosk-validate.md
- name: Guidelines for choosing an app for assigned access (kiosk mode)
href: guidelines-for-assigned-access-app.md
- name: Policies enforced on kiosk devices
href: kiosk-policies.md
- name: Assigned access XML reference
href: kiosk-xml.md
- name: Configure a restricted user experience
href: quickstart-restricted-experience.md
- name: Concepts
items:
- name: Prepare a device for kiosk configuration
href: kiosk-prepare.md
- name: Deployment guides
items:
- name: Configure digital signs
href: setup-digital-signage.md
- name: Configure a kiosk
href: kiosk-single-app.md
- name: Configure a restricted user experience for Windows 10
href: lock-down-windows-10-to-specific-apps.md
- name: Configure a restricted user experience for Windows 11
href: lock-down-windows-11-to-specific-apps.md
- name: How-to guides
items:
- name: Find the AUMID of an installed app
href: find-aumid.md
- name: Use MDM Bridge WMI Provider to create a Windows client kiosk
href: kiosk-mdm-bridge.md
- name: Use AppLocker to create a Windows 10 kiosk
href: lock-down-windows-10-applocker.md
- name: Use Shell Launcher to create a Windows client kiosk
href: kiosk-shelllauncher.md
- name: Use MDM Bridge WMI Provider to create a Windows client kiosk
href: kiosk-mdm-bridge.md
- name: Troubleshoot
items:
- name: Validate your kiosk configuration
href: kiosk-validate.md
- name: Troubleshoot kiosk mode issues
href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
- name: Lockdown features from Windows Embedded 8.1 Industry
href: lockdown-features-windows-10.md
- name: Rreference
items:
- name: Kiosk methods and reference information
href: kiosk-additional-reference.md
- name: Guidelines for choosing an app for assigned access
href: guidelines-for-assigned-access-app.md
- name: Policies enforced on kiosk devices
href: kiosk-policies.md
- name: Assigned access XML reference
href: kiosk-xml.md

15
windows/configuration/start/customize-and-export-start-layout.md
View File

@ -21,9 +21,6 @@ When a full Start layout is applied, the users can't pin, unpin, or uninstall ap
When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups.
> [!NOTE]
> Partial Start layout is only supported on Windows 10, version 1511 and later.
You can deploy the resulting .xml file to devices using one of the following methods:
- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
@ -52,9 +49,7 @@ To customize Start:
- **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group.
> [!IMPORTANT]
> In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
>
> In earlier versions of Windows 10, no tile would be pinned.
> If the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
### Export the Start layout
@ -66,17 +61,13 @@ When you have the Start layout that you want your users to see, use the [Export-
To export the Start layout to an .xml file:
1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command:
`Export-StartLayout -path <path><file name>.xml`
On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example:
1. Run `Export-StartLayout` with the switch `-UseDesktopApplicationID`. For example:
```PowerShell
Export-StartLayout -UseDesktopApplicationID -Path layout.xml
```
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, `\\FileServer01\StartLayouts\StartLayoutMarketing.xml`).
Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension.

2
windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md
View File

@ -22,8 +22,6 @@ This topic describes how to update Group Policy settings to display a customized
## Operating system requirements
In Windows 10, version 1607, Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1703, Start and taskbar layout control using Group Policy is also supported in Windows 10 Pro.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) in the Microsoft Knowledge Base.
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works

3
windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md
View File

@ -13,9 +13,6 @@ ms.date: 08/05/2021
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization).
>[!WARNING]

2
windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -14,7 +14,7 @@ ms.date: 12/31/2017
> [!NOTE]
> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 1. It's not supported on Windows 11.
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
You can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
> [!IMPORTANT]
> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.

10
windows/configuration/start/start-secondary-tiles.md
View File

@ -14,17 +14,11 @@ App tiles are the Start screen tiles that represent and launch an app. A tile th
- Status and updates from an important contact in a social app
- A website in Microsoft Edge
In a Start layout for Windows 10, version 1703, you can include secondary tiles for Microsoft Edge that display a custom image, rather than a tile with the standard Microsoft Edge logo.
Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image:
![tile for MSN and for a SharePoint site.](images/edge-with-logo.png)
In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image:
![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png)
In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout.
By using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles display the same as they did on the device from which you exported the Start layout.
![tile for MSN and for a SharePoint site.](images/edge-with-logo.png)
@ -78,7 +72,6 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
1. In Windows PowerShell, enter the following command:
```powershell
Export-StartLayoutEdgeAssets assets.xml
```
@ -139,7 +132,6 @@ The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce
#### Create a provisioning package that contains a customized Start layout
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
>[!IMPORTANT]

2
windows/configuration/start/toc.yml
View File

@ -1,5 +1,5 @@
items:
- name: Customizethe Start menu in Windows 11
- name: Customize the Start menu in Windows 11
href: customize-start-menu-layout-windows-11.md
- name: Supported Start menu CSPs
href: supported-csp-start-menu-layout-windows.md

15
windows/configuration/start/windows-10-start-layout-options-and-policies.md
View File

@ -3,6 +3,8 @@ title: Customize and manage the Windows 10 Start and taskbar layout
description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
ms.topic: article
ms.date: 08/05/2021
appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
---
# Customize the Start menu and taskbar layout on Windows 10 and later devices
@ -184,19 +186,6 @@ In a clean install, if you apply a taskbar layout, only the following apps are p
After the layout is applied, users can pin more apps to the taskbar.
### Taskbar configuration applied to Windows 10 upgrades
When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup.
On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior:
- If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right.
- If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned.
- If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right.
- New apps specified in updated layout file are pinned to right of user's pinned apps.
[Learn how to configure Windows 10 taskbar](../taskbar/configure-windows-10-taskbar.md).
## Start layout configuration errors
If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events:

16
windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
View File

@ -14,7 +14,7 @@ ms.topic: article
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against non-Microsoft-developed drivers across the Windows ecosystem with any of the following attributes:
- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
- Malicious behaviors (malware) or certificates used to sign malware
@ -1071,7 +1071,7 @@ The following recommended blocklist xml policy file can also be downloaded from
<Deny ID="ID_DENY_NVOCLOCK_17" FriendlyName="nvoclock\87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b Hash Sha1" Hash="8546586F7825C49876F2E0C52BA55F545B4E03BD" />
<Deny ID="ID_DENY_NVOCLOCK_18" FriendlyName="nvoclock\87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b Hash Sha256" Hash="7C8D7BB3A272AFE7FB737BD165FE9BD8F8187F1835289EB66D471CDCED74E950" />
<Deny ID="ID_DENY_NVOCLOCK_19" FriendlyName="nvoclock\d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8 Hash Sha1" Hash="FE761BEE648D4A1C9FD8C1646323A692DF957C42" />
<Deny ID="ID_DENY_NVOCLOCK_20" FriendlyName="nvoclock\d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8 Hash Sha256" Hash="B3183D87A902DB1BBDAECB37291B9D37C032CE9DFACBE4B36CC3032F5A643AB4" />
<Deny ID="ID_DENY_NVOCLOCK_20" FriendlyName="nvoclock\d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8 Hash Sha256" Hash="B3183D87A902DB1BBDAECB37291B9D37C032CE9DFACBE4B36CC3032F5A643AB4" />
<Deny ID="ID_DENY_OTIPCIBUS_1" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Sha1" Hash="FD172C7F8BDC81988FCF1642881078A8CA8415F6" />
<Deny ID="ID_DENY_OTIPCIBUS_2" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Sha256" Hash="1CDA1A6E33D14D5DD06344425102BF840F8149E817ECFB01C59A2190D3367024" />
<Deny ID="ID_DENY_OTIPCIBUS_3" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Page Sha1" Hash="8DFBFD888C9A420AC7F3371E5443C26A2852E539" />
@ -1929,7 +1929,7 @@ The following recommended blocklist xml policy file can also be downloaded from
<CertRoot Type="TBS" Value="A08E79C386083D875014C409C13D144E0A24386132980DF11FF59737C8489EB1" />
<FileAttribRef RuleID="ID_FILEATTRIB_AMD_RYZEN" />
<FileAttribRef RuleID="ID_FILEATTRIB_AMDPP" />
<FileAttribRef RuleID="ID_FILEATTRIB_ASWSP" />
<FileAttribRef RuleID="ID_FILEATTRIB_ASWSP" />
<FileAttribRef RuleID="ID_FILEATTRIB_ATLACCESS" />
<FileAttribRef RuleID="ID_FILEATTRIB_LGCORETEMP" />
<FileAttribRef RuleID="ID_FILEATTRIB_RTIF" />
@ -1938,10 +1938,10 @@ The following recommended blocklist xml policy file can also be downloaded from
</Signer>
<Signer ID="ID_SIGNER_SYMANTEC_CLASS_3_EV" Name="Symantec Class 3 Extended Validation Code Signing CA - G2">
<CertRoot Type="TBS" Value="B3C925B4048C3F7C444D248A2B101186B57CBA39596EB5DCE0E17A4EE4B32F19"/>
<FileAttribRef RuleID="ID_FILEATTRIB_CP2X72C_1"/>
<FileAttribRef RuleID="ID_FILEATTRIB_CP2X72C_2"/>
<FileAttribRef RuleID="ID_FILEATTRIB_CP2X72C_1"/>
<FileAttribRef RuleID="ID_FILEATTRIB_CP2X72C_2"/>
<FileAttribRef RuleID="ID_FILEATTRIB_FPCIE"/>
<FileAttribRef RuleID="ID_FILEATTRIB_WIRWADRV"/>
<FileAttribRef RuleID="ID_FILEATTRIB_WIRWADRV"/>
</Signer>
<Signer ID="ID_SIGNER_VERISIGN_AMD" Name="VeriSign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
@ -2234,7 +2234,7 @@ The following recommended blocklist xml policy file can also be downloaded from
<FileAttribRef RuleID="ID_FILEATTRIB_EELAM" />
<FileAttribRef RuleID="ID_FILEATTRIB_SYMELAM" />
<FileAttribRef RuleID="ID_FILEATTRIB_TMEL" />
</Signer>
<Signer ID="ID_SIGNER_AVGELAM_1" Name="DigiCert High Assurance Code Signing CA-1">
<CertRoot Type="TBS" Value="1D7E838ACCD498C2E5BA9373AF819EC097BB955C" />
@ -3312,7 +3312,7 @@ The following recommended blocklist xml policy file can also be downloaded from
<FileRuleRef RuleID="ID_DENY_EIO64_7" />
<FileRuleRef RuleID="ID_DENY_EIO64_8" />
<FileRuleRef RuleID="ID_DENY_FH_ETHER_1" />
<FileRuleRef RuleID="ID_DENY_FH_ETHER_2" />
<FileRuleRef RuleID="ID_DENY_FH_ETHER_2" />
<FileRuleRef RuleID="ID_DENY_GEDEVDRV_1" />
<FileRuleRef RuleID="ID_DENY_GEDEVDRV_2" />
<FileRuleRef RuleID="ID_DENY_GEDEVDRV_3" />

4
windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
View File

@ -33,7 +33,7 @@ The security features of Windows combined with the benefits of a TPM offer pract
Windows includes a cryptography framework called Cryptographic API: Next Generation (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or non-Microsoft hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
The Platform Crypto Provider, introduced in the Windows 8, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
@ -94,7 +94,7 @@ For software measurements, Device Encryption relies on measurements of the autho
Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.
The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
The Windows boot process happens in stages and often involves non-Microsoft drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system's starting state to determine whether the running operating system should be trusted.

18
windows/security/identity-protection/credential-guard/considerations-known-issues.md
View File

@ -22,9 +22,9 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne
When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
Use constrained or resource-based Kerberos delegation instead.
## Third party Security Support Providers considerations
## Non-Microsoft Security Support Providers considerations
Some third party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
Some non-Microsoft Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow non-Microsoft SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
It's recommended that custom implementations of SSPs/APs are tested with Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs.
For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
@ -110,15 +110,15 @@ Credential Guard blocks certain authentication capabilities. Applications that r
This article describes known issues when Credential Guard is enabled.
### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2
### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2
Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
#### Affected devices
Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
> [!TIP]
> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
@ -188,16 +188,16 @@ MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, versio
#### How to fix the issue
We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication.
We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication.
For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
> [!TIP]
> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
>
> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
### Issues with third-party applications
### Issues with non-Microsoft applications
The following issue affects MSCHAPv2:

2
windows/security/identity-protection/credential-guard/how-it-works.md
View File

@ -25,7 +25,7 @@ Some ways to store credentials aren't protected by Credential Guard, including:
- Key loggers
- Physical attacks
- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization
- Third-party security packages
- Non-Microsoft security packages
- When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols
> [!CAUTION]
> It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Microsoft Entra users, secondary credentials should be provisioned for these use cases.

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
View File

@ -36,7 +36,7 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
Key trust deployments don't need client-issued certificates for on-premises authentication. *Microsoft Entra Connect Sync* configures Active Directory user accounts for public key mapping, by synchronizing the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink` attribute).
A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more information, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
A Windows Server-based PKI or a non-Microsoft Enterprise certification authority can be used. For more information, see [Requirements for domain controller certificates from a non-Microsoft CA][SERV-1].
[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]

4
windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
View File

@ -8,12 +8,12 @@ ms.topic: include
Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
- certificates
- third-party authentication providers for AD FS
- non-Microsoft authentication providers for AD FS
- custom authentication provider for AD FS
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
For information on available non-Microsoft authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).

2
windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
View File

@ -26,7 +26,7 @@ The certificate template is configured to supersede all the certificate template
However, the certificate template and the superseding of certificate templates isn't active until the template is published to one or more certificate authorities.
> [!NOTE]
> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a non-Microsoft CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
>To see all certificates in the NTAuth store, use the following command:
>
> `Certutil -viewstore -enterprise NTAuth`

14
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -112,11 +112,11 @@ Users can authenticate to Microsoft Entra ID using federated authentication or c
| | Deployment model | Trust type | Authentication to Microsoft Entra ID | Requirements |
|--|--|--|--|--|
| **🔲** | **Cloud-only** | n/a | Cloud authentication | n/a |
| **🔲** | **Cloud-only** | n/a | Federated authentication | Third-party federation service |
| **🔲** | **Cloud-only** | n/a | Federated authentication | Non-Microsoft federation service |
| **🔲** | **Hybrid** | Cloud Kerberos trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) |
| **🔲** | **Hybrid** | Cloud Kerberos trust | Federated authentication | AD FS or third-party federation service |
| **🔲** | **Hybrid** | Cloud Kerberos trust | Federated authentication | AD FS or non-Microsoft federation service |
| **🔲** | **Hybrid** | Key trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) |
| **🔲** | **Hybrid** | Key trust | Federated authentication | AD FS or third-party federation service |
| **🔲** | **Hybrid** | Key trust | Federated authentication | AD FS or non-Microsoft federation service |
| **🔲** | **Hybrid** | Certificate trust | Federated authentication | This deployment model doesn't support PTA or PHS. Active Directory must be federated with Microsoft Entra ID using AD FS|
To learn more:
@ -143,7 +143,7 @@ For on-premises deployments, the server running the Active Directory Federation
The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential:
- For cloud-only and hybrid deployments, there are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1]
- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more information, see [Microsoft and third-party additional authentication methods][SER-2]
- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from non-Microsoft options that offer an AD FS MFA adapter. For more information, see [Microsoft and non-Microsoft additional authentication methods][SER-2]
> [!IMPORTANT]
> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2].
@ -151,9 +151,9 @@ The goal of Windows Hello for Business is to move organizations away from passwo
|| Deployment model | MFA options |
|--|--|--|
| **🔲** | **Cloud-only** | Microsoft Entra MFA |
| **🔲** | **Cloud-only** | Third-party MFA via Microsoft Entra ID custom controls or federation |
| **🔲** | **Cloud-only** | Non-Microsoft MFA via Microsoft Entra ID custom controls or federation |
| **🔲** | **Hybrid** | Microsoft Entra MFA |
| **🔲** | **Hybrid** | Third-party MFA via Microsoft Entra ID custom controls or federation|
| **🔲** | **Hybrid** | Non-Microsoft MFA via Microsoft Entra ID custom controls or federation|
| **🔲** | **On-premises** | AD FS MFA adapter |
For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].
@ -224,7 +224,7 @@ Windows Hello for Business provides a rich set of granular policy settings. Ther
Here are some considerations regarding licensing requirements for cloud services:
- Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment][MEM-1] and [Conditional Access][ENTRA-8] do
- Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported third-party MDM
- Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported non-Microsoft MDM
- You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication for the Windows passwordless features
- Some Microsoft Entra multifactor authentication features require a license. For more information, see [Features and licenses for Microsoft Entra multifactor authentication][ENTRA-9].
- Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
View File

@ -36,7 +36,7 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
> [!div class="checklist"]
> Before you continue with the deployment, validate your deployment progress by reviewing the following items:
>
> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a non-Microsoft certificate)
> - Confirm you added the AD FS service account to the KeyAdmins group
> - Confirm you enabled the Device Registration service

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
View File

@ -21,7 +21,7 @@ Before you continue with the deployment, validate your deployment progress by re
> [!div class="checklist"]
>
> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a non-Microsoft certificate)
> - Confirm you added the AD FS service account to the KeyAdmins group
> - Confirm you enabled the Device Registration service

48
windows/security/identity-protection/hello-for-business/faq.yml
View File

@ -37,18 +37,18 @@ sections:
Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IdP before the IdP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
- question: How does PIN caching work with Windows Hello for Business?
answer: |
Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.
Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation prompts the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.
Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation prompts the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.
- question: Where is Windows Hello biometrics data stored?
answer: |
When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
- question: What is the format used to store Windows Hello biometrics data on the device?
answer: |
Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it's stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.
- question: Who has access on Windows Hello biometrics data?
Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it's stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.
- question: Who has access on Windows Hello biometrics data?
answer: |
Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it.
- question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
@ -59,17 +59,17 @@ sections:
To remove Windows Hello and any associated biometric identification data from the device, open **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. The action unenrolls from Windows Hello biometrics authentication and deletes the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
- name: Management and operations
questions:
questions:
- question: Can I deploy and manage Windows Hello for Business by using Microsoft Configuration Manager?
answer: |
Starting in Configuration Manager, version 2203, Windows Hello for Business deployments using Configuration Manager are no longer supported.
- question: How do I delete a Windows Hello for Business container on a device?
answer: |
You can delete the Windows Hello for Business container by executing the command `certutil.exe -deleteHelloContainer`.
answer: |
You can delete the Windows Hello for Business container by executing the command `certutil.exe -deleteHelloContainer`.
- question: What happens when a user forgets their PIN?
answer: |
If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app or from the lock screen, by selecting the *I forgot my PIN* link on the PIN credential provider.
For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Microsoft Entra tenant to use the *Windows Hello for Business PIN reset service* to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
- question: Does Windows Hello for Business prevent the use of simple PINs?
answer: |
@ -84,7 +84,7 @@ sections:
- The PIN 7036 has a constant delta of (3,3,3), so it isn't allowed
- The PIN 1231 doesn't have a constant delta (1,1,2), so it's allowed
- The PIN 1872 doesn't have a constant delta (7,9,5), so it's allowed
This check prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm doesn't apply to alphanumeric PINs.
- question: Which diagnostic data is collected when Windows Hello for Business is enabled?
answer: |
@ -92,7 +92,7 @@ sections:
- Data about whether people sign in with their face, iris, fingerprint, or PIN
- The number of times they use it
- Whether it works or not
All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
- question: Can I disable the PIN while using Windows Hello for Business?
answer: |
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
@ -102,7 +102,7 @@ sections:
If the user attempts to unlock the device by entering random PINs, after three unsuccessful attempts the credential provider will display the following message: **You've entered an incorrect PIN several times. To try again, enter A1B2C3 below**.
Upon entering the challenge phrase *A1B2C3*, the user will be granted one more opportunity to enter the PIN. If unsuccessful, the provider will be disabled, leaving the user with the only option to reboot the device. Following the reboot, the aforementioned pattern repeats.
If unsuccessful attempts continue, the device will enter a lockout state, lasting for 1 minute after the first reboot, 2 minutes after the fourth reboot, and 10 minutes after the fifth reboot. The duration of each lockout increases accordingly. This behavior is a result of the TPM 2.0 anti-hammering feature.
For more information about the TPM anti-hammering feature, see [TPM 2.0 anti-hammering](/windows/security/information-protection/tpm/tpm-fundamentals#tpm-20-anti-hammering).
@ -110,7 +110,7 @@ sections:
questions:
- question: Can Windows Hello for Business work in air-gapped environments?
answer: |
Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that doesn't require internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a non-Microsoft MFA provider that doesn't require internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
- question: How many users can enroll for Windows Hello for Business on a single Windows device?
answer: |
The maximum number of supported enrollments on a single device is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, or for users that sign-in to many devices (for example, a support technician), it's recommended the use of FIDO2 security keys.
@ -120,17 +120,17 @@ sections:
- question: What attributes are synchronized by Microsoft Entra Connect with Windows Hello for Business?
answer: |
Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#windows-10) scenario and the [Device writeback](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
- question: Can I use third-party MFA providers with Windows Hello for Business?
- question: Can I use non-Microsoft MFA providers with Windows Hello for Business?
answer: |
Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
- question: Does Windows Hello for Business work with third-party federation servers?
Yes, if you're using federated hybrid deployment, you can use any non-Microsoft that provides an AD FS MFA adapter. A list of non-Microsoft MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
- question: Does Windows Hello for Business work with non-Microsoft federation servers?
answer: |
Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.<br><br>
Windows Hello for Business works with any non-Microsoft federation servers that support the protocols used during the provisioning experience.<br><br>
| Protocol | Description |
| :--- | :--- |
| [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. |
| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. |
| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define other claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define more provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. |
- question: Can I enroll local Windows accounts in Windows Hello for Business?
@ -146,9 +146,9 @@ sections:
answer: |
A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
If a user has signed into their Microsoft Entra registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Microsoft Entra resources. The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
If a user has signed into their Microsoft Entra registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Microsoft Entra resources. The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
For more information, see [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
- question: Does Windows Hello for Business work with non-Windows operating systems?
@ -181,11 +181,11 @@ sections:
- question: What URLs do I need to allow for a hybrid deployment?
answer: |
For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online).
If your environment uses Microsoft Intune, see [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints).
- name: Features
questions:
questions:
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
answer: |
Yes, you can use an external Windows Hello compatible camera if a device has an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). If ESS is enabled, see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security).

14
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -17,7 +17,7 @@ PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to
The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
In federated environments, authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
In federated environments, authentication may be configured to route to AD FS or a non-Microsoft identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
If you're a customer of *Azure US Government* cloud, PIN reset also attempts to navigate to a domain that isn't included in the default allowlist. The result is the message *We can't open that page right now*.
@ -49,18 +49,18 @@ After the initial sign-in attempt, the user's Windows Hello for Business public
To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)).
## Microsoft Entra joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
## Microsoft Entra joined device access to on-premises resources using key trust and non-Microsoft Certificate Authority (CA)
Applies to:
- Microsoft Entra joined key trust deployments
- Third-party certificate authority (CA) issuing domain controller certificates
- Non-Microsoft certificate authority (CA) issuing domain controller certificates
Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from a Microsoft Entra joined device does require special configuration when using a third-party CA to issue domain controller certificates.
Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a non-Microsoft CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from a Microsoft Entra joined device does require special configuration when using a non-Microsoft CA to issue domain controller certificates.
For more information, read [Guidelines for enabling smart card sign in with third-party certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
For more information, read [Guidelines for enabling smart card sign in with non-Microsoft certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
### Identify on-premises resource access issues with third party CAs
### Identify on-premises resource access issues with non-Microsoft CAs
The issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client fails to place a `TGS_REQ` request when a user attempts to access a resource. On the client, it can be observed in the Kerberos operation event log under `Application and Services/Microsoft/Windows/Security-Kerberos/Operational`. The logs are disabled by default. The failure event for this case includes the following information:
@ -80,7 +80,7 @@ Expected Domain Name: ad.contoso.com
Error Code: 0xC000006D
```
### Resolve on-premises resource access issue with third party CAs
### Resolve on-premises resource access issue with non-Microsoft CAs
To resolve the issue, domain controller certificates must be updated so that the certificate subject contains the directory path of the server object (distinguished name).
Example Subject: `CN=DC1,OU=Domain Controllers,DC=ad,DC=contoso,DC=com`

2
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -71,7 +71,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.|
| 0x80090010 | NTE_PERM |
| 0x80090020 | NTE_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
| 0x80090027 | Caller provided a wrong parameter. If non-Microsoft code receives this error, they must change their code. |
| 0x8009002D | NTE_INTERNAL_ERROR |
| 0x801C0001 | ADRS server response is not in a valid format. |
| 0x801C0002 | Server failed to authenticate the user. |

6
windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
View File

@ -70,7 +70,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| Phase | Description |
|:-|:-|
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br> In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Microsoft Entra multifactor authentication service (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise token on successful MFA. The application sends the token to Microsoft Entra ID.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br> In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Microsoft Entra multifactor authentication service (or a non-Microsoft MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise token on successful MFA. The application sends the token to Microsoft Entra ID.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID and a key receipt to the application, which represents the end of user key registration. |
| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
@ -87,7 +87,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| Phase | Description |
| :----: | :----------- |
|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br> In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Microsoft Entra multifactor authentication server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br> In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Microsoft Entra multifactor authentication server (or a non-Microsoft MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
| B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
@ -97,7 +97,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| Phase | Description |
| :----: | :----------- |
|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br> In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Microsoft Entra multifactor authentication server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br> In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Microsoft Entra multifactor authentication server (or a non-Microsoft MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
| B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|

2
windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
View File

@ -11,7 +11,7 @@ ms.topic: include
- If you disable this policy setting, the device doesn't provision Windows Hello for Business for any user
- If you don't configure this policy setting, users can provision Windows Hello for Business
Select the option *Don't start Windows Hello provisioning after sign-in* when you use a third-party solution to provision Windows Hello for Business:
Select the option *Don't start Windows Hello provisioning after sign-in* when you use a non-Microsoft solution to provision Windows Hello for Business:
- If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
- If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in

30
windows/security/identity-protection/hello-for-business/multifactor-unlock.md
View File

@ -39,13 +39,13 @@ Supported credential providers include:
|Credential Provider| GUID|
|:------------------|:----|
|PIN| `{D6886603-9D2F-4EB2-B667-1971041FA96B}`|
|PIN| `{D6886603-9D2F-4EB2-B667-1971041FA96B}`|
|Fingerprint| `{BEC09223-B018-416D-A0AC-523971B639F5}`|
|Facial Recognition| `{8AF662BF-65A0-4D0A-A540-A338A999D36F}`|
|Trusted Signal<br>(Phone proximity, Network location) | `{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}`|
> [!NOTE]
> Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
> Multifactor unlock does not support non-Microsoft credential providers or credential providers not listed in the above table.
The default credential providers for the **First unlock factor credential provider** include:
@ -121,7 +121,7 @@ The **classofDevice** attribute defaults to Phone and uses the values from the f
|Health|2304|
|Uncategorized|7936|
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative, and lower as the bluetooth signals between the two paired devices reduces. A measurement of 0 is stronger than -10. A measurement of -10 is stronger than -60, and indicates that the devices are moving further apart from each other.
@ -169,7 +169,7 @@ The IPv4 DNS server represented in Internet standard dotted-decimal notation. A
##### IPv6Prefix
The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element. For example:
The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element. For example:
```xml
<ipv6Prefix>21DA:D3::/48</ipv6Prefix>
@ -243,7 +243,7 @@ Contains the type of security the client uses when connecting to the wireless ne
For example:
```xml
<security>WPA2-Enterprise</security>
<security>WPA2-Enterprise</security>
```
#### TrustedRootCA
@ -273,13 +273,13 @@ For example:
The following example configures an **IPConfig** signal type using **Ipv4Prefix**, **Ipv4DnsServer**, and **DnsSuffix** elements.
```xml
<rule schemaVersion="1.0">
<signal type="ipConfig">
<rule schemaVersion="1.0">
<signal type="ipConfig">
<ipv4Prefix>10.10.10.0/24</ipv4Prefix>
<ipv4DnsServer>10.10.0.1</ipv4DnsServer>
<ipv4DnsServer>10.10.0.2</ipv4DnsServer>
<dnsSuffix>corp.contoso.com</dnsSuffix>
</signal>
<dnsSuffix>corp.contoso.com</dnsSuffix>
</signal>
</rule>
```
@ -291,10 +291,10 @@ The following example configures an **IpConfig** signal type using a **dnsSuffix
>Separate each rule element using a comma.
```xml
<rule schemaVersion="1.0">
<signal type="ipConfig">
<dnsSuffix>corp.contoso.com</dnsSuffix>
</signal>
<rule schemaVersion="1.0">
<signal type="ipConfig">
<dnsSuffix>corp.contoso.com</dnsSuffix>
</signal>
</rule>,
<rule schemaVersion="1.0">
<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
@ -310,7 +310,7 @@ The following example configures the same as example 2 using compounding `and` e
<and>
<signal type="ipConfig">
<dnsSuffix>corp.microsoft.com</dnsSuffix>
</signal>
</signal>
<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
</and>
</rule>
@ -382,7 +382,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
---
>[!IMPORTANT]
>You should remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
>You should remove all non-Microsoft credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
## User experience

2
windows/security/identity-protection/hello-for-business/pin-reset.md
View File

@ -179,7 +179,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
**Applies to:** Microsoft Entra joined devices
PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\
If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.
If you have a federated environment and authentication is handled using AD FS or a non-Microsoft identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.
[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]

4
windows/security/identity-protection/hello-for-business/rdp-sign-in.md
View File

@ -197,9 +197,9 @@ Here are the steps to manually request a certificate using an Active Directory C
---
## Use third-party certification authorities
## Use non-Microsoft certification authorities
If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use non-Microsoft certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
As an alternative to using SCEP, or if none of the previously covered solutions work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.

8
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -3,7 +3,7 @@ items:
href: index.md
- name: How Windows Hello for Business works
items:
- name: Core concepts
- name: Core concepts
href: how-it-works.md
- name: How device registration works 🔗
href: /entra/identity/devices/device-registration-how-it-works
@ -15,12 +15,12 @@ items:
href: configure.md
- name: Deployment guides
href: deploy/toc.yml
- name: How-to-guides
- name: How-to guides
items:
- name: Configure PIN reset
href: pin-reset.md
- name: Configure dual enrollment
href: hello-feature-dual-enrollment.md
href: hello-feature-dual-enrollment.md
- name: Configure dynamic lock
href: hello-feature-dynamic-lock.md
- name: Configure multi-factor unlock
@ -42,4 +42,4 @@ items:
- name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
- name: Frequently Asked Questions (FAQ)
href: faq.yml
href: faq.yml

2
windows/security/identity-protection/passwordless-strategy/journey-step-2.md
View File

@ -54,7 +54,7 @@ Mitigating password usage with applications is one of the more challenging obsta
The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Microsoft Entra identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to integrate in your Microsoft Entra ID tenant, use federated identities, or use Windows integrated authentication. Work with third-party software publishers to update their software to integrate in Microsoft Entra ID, support federated identities, or use Windows integrated authentication.
Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to integrate in your Microsoft Entra ID tenant, use federated identities, or use Windows integrated authentication. Work with non-Microsoft software publishers to update their software to integrate in Microsoft Entra ID, support federated identities, or use Windows integrated authentication.
## Repeat until all user password usage is mitigated

2
windows/security/identity-protection/web-sign-in/index.md
View File

@ -134,7 +134,7 @@ For more information, see [Use a Temporary Access Pass][AAD-3].
:::row:::
:::column span="2":::
If the Microsoft Entra tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
If the Microsoft Entra tenant is federated with a non-Microsoft SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
:::column-end:::
:::column span="2":::
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=88ad0efb-9031-428c-a3cf-612c47810ecf]

2
windows/security/includes/sections/identity.md
View File

@ -22,7 +22,7 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with non-Microsoft identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
| **[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |

160
windows/security/operating-system-security/data-protection/bitlocker/faq.yml
View File

@ -19,53 +19,53 @@ sections:
answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
- question: How can I tell if a computer has a TPM?
answer: The TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
answer: The TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
- question: Can I use BitLocker on an operating system drive without a TPM?
answer: |
Yes, BitLocker can be enabled on an operating system drive without a TPM, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
- question: How do I obtain BIOS support for the TPM on my computer?
answer: |
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
- It's compliant with the TCG standards for a client computer
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer
- question: What user rights are required to use BitLocker?
answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership to the local *Administrators* group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
- question: What is the recommended boot order for computers that are going to be BitLocker-protected?
answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked.
answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked.
- name: BitLocker and Windows upgrade
questions:
- question: |
Can I upgrade Windows versions with BitLocker enabled?
answer: |
Yes.
Yes.
- question: |
What is the difference between suspending and decrypting BitLocker?
answer: |
*Decrypt* completely removes BitLocker protection and fully decrypts the drive.
*Suspend* keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the *Suspend* option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
- question: |
Do I have to suspend BitLocker protection to download and install system updates and upgrades?
answer: |
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection
- Non-Microsoft application updates that modify the UEFI\BIOS configuration
- Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation)
- Manual or non-Microsoft updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation)
- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates)
- BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it reports **Uses Secure Boot for integrity validation**
> [!NOTE]
> If BitLocker is suspended, you can resume BitLocker protection after the upgrade or update is installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
@ -74,16 +74,16 @@ sections:
- question: Can BitLocker deployment be automated in an enterprise environment?
answer: |
Yes, the deployment and configuration BitLocker can be automated using either Windows PowerShell or with the `manage-bde.exe` command. For more information about common BitLocker management commands, check the [BitLocker operations guide](operations-guide.md).
- question: Is there a noticeable performance impact when BitLocker is enabled on a computer?
answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate.
- question: How long will initial encryption take when BitLocker is turned on?
answer: |
Although BitLocker encryption occurs in the background while a user continues to work with the system remaining usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If encrypting large drives, encryption may want to be scheduled during times when the drive isn't being used.
When BitLocker is enabled, BitLocker can also be set to encrypt the entire drive or just the used space on the drive. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
- question: What happens if the computer is turned off during encryption or decryption?
answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
@ -94,35 +94,35 @@ sections:
answer: |
Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker policy settings](configure.md).
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
- question: |
What is Used Disk Space Only encryption?
answer: |
BitLocker lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](planning-guide.md#used-disk-space-only-encryption).
- question: |
What system changes would cause the integrity check on the OS drive to fail?
answer: |
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
- Moving the BitLocker-protected drive into a new computer
- Installing a new motherboard with a new TPM
- Turning off, disabling, or clearing the TPM
- Changing any boot configuration settings
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data
- question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
answer: |
Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
- Changing the BIOS boot order to boot another drive in advance of the hard drive
- Adding or removing hardware, such as inserting a new card in the computer
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
- question: What can prevent BitLocker from binding to PCR 7?
answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it's disabled or the hardware doesn't support it.
@ -139,15 +139,15 @@ sections:
answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
- name: Key Management
questions:
questions:
- question: How can I authenticate or unlock my removable data drive?
answer: |
Removable data drives can be unlocked using a password or a smart card. A SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
```cmd
Manage-bde.exe -protectors -add e: -sid domain\username
```
- question: What is the difference between a TPM owner password, recovery password, recovery key, PIN, enhanced PIN, and startup key?
answer: |
There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.
@ -164,7 +164,7 @@ sections:
- A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device
**PIN and enhanced PIN**
For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation. The PIN can consist of 4 to 20 digits as specified by the *Configure minimum PIN length for startup* policy setting and is stored internally as a 256-bit hash of the entered Unicode characters. This value is never displayed to the user. The PIN is used to provide another factor of authentication in conjunction with TPM authentication.\
For an even higher level of security with the TPM, you can configure BitLocker to use enhanced PINs. Enhanced PINs are PINs that use the full keyboard character set in addition to the numeric set to allow for more possible PIN combinations and are between 4 and 20 characters in length. To use enhanced PINs, you must enable the *Allow enhanced PINs for startup* policy setting before adding the PIN to the drive. By enabling this policy, all PINs created can utilize full keyboard characters.
@ -178,15 +178,15 @@ sections:
- question: How can the recovery password and recovery key be stored?
answer: |
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed.
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive.
A domain administrator can also configure policy settings to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) or Microsoft Entra ID for any BitLocker-protected drive.
- question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
answer: |
The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated Command Prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
```cmd
manage-bde.exe -protectors -delete %systemdrive% -type tpm
@ -195,13 +195,13 @@ sections:
- question: When should an additional method of authentication be considered?
answer: |
New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack.
For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](configure.md) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers.
New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack.
For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](configure.md) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers.
- question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
answer: |
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
> [!IMPORTANT]
> Store the recovery information in Microsoft Entra ID, AD DS, Microsoft Account, or another safe location.
@ -226,39 +226,39 @@ sections:
- question: Where are the encryption keys stored?
answer: |
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
- question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
answer: |
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 aren't usable in the pre-boot environment on all keyboards.
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
- question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
answer: |
It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer.
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks.
After the TPM's manufacturer is determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
- question: How can I determine the manufacturer of my TPM?
answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
- question: How can I evaluate a TPM's dictionary attack mitigation mechanism?
answer: |
The following questions can assist when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
- How many failed authorization attempts can occur before lockout?
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- What actions can cause the failure count and lockout duration to be decreased or reset?
- question: Can PIN length and complexity be managed with policy settings?
answer: |
The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** policy setting. PIN complexity can't be required via policy settings.
For more info, see [BitLocker policy settings](configure.md).
- question: How are the PIN and TPM used to derive the volume master key?
answer: |
BitLocker hashes the user-specified personal identification number (PIN) by using SHA-256, and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key. The volume master key is now protected by both the TPM and the PIN. To unseal the volume master key, you are required to enter the PIN each time the computer restarts or resumes from hibernation.
@ -267,18 +267,18 @@ sections:
questions:
- question: What is BitLocker To Go?
answer: |
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of:
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of:
- USB flash drives
- SD cards
- External hard disk drives
- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
- name: BitLocker and Active Directory Domain Services (AD DS)
- name: BitLocker and Active Directory Domain Services (AD DS)
questions:
- question: |
What type of information is stored in AD DS?
@ -286,15 +286,15 @@ sections:
Stored information | Description
-------------------|------------
BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
- question: |
What if BitLocker is enabled on a computer before the computer joins the domain?
answer: |
If BitLocker is enabled on a drive before policy settings are applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when the policy settings are subsequently applied. However, the policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
For more information how to back up the recovery password to AD DS or Microsoft Entra ID, review the [BitLocker operations guide](operations-guide.md).
> [!IMPORTANT]
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled with policy settings).
@ -302,9 +302,9 @@ sections:
Is there an event log entry recorded on the client computer to indicate the success or failure of the Microsoft Entra ID or Active Directory backup?
answer: |
Yes, an event log entry that indicates the success or failure of a backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
- question: |
If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
answer: |
@ -314,11 +314,11 @@ sections:
What happens if the backup initially fails? Will BitLocker retry it?
answer: |
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS.
When an administrator selects the **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker policy settings](configure.md).
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer joins the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-joins-the-domain-) to capture the information after connectivity is restored.
- name: Security
@ -336,29 +336,29 @@ sections:
- question: |
What are the implications of using the sleep or hibernate power management options?
answer: |
BitLocker on operating system drives in its basic configuration provides extra security for the hibernate mode. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode. Startup authentication can be configured by using a [policy setting](configure.md).
BitLocker on operating system drives in its basic configuration provides extra security for the hibernate mode. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode. Startup authentication can be configured by using a [policy setting](configure.md).
- question: |
What are the advantages of a TPM?
answer: |
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually aren't as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
> [!NOTE]
> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
- name: Network Unlock
questions:
- question: |
What is BitLocker Network Unlock?
answer: |
answer: |
BitLocker Network Unlock enables easier management for BitLocker-enabled clients and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it.
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before it can be used.
Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network.
For more info, see [BitLocker: How to enable Network Unlock](network-unlock.md).
- name: Use BitLocker with other programs
@ -397,7 +397,7 @@ sections:
Why is the system check failing when I'm encrypting my operating system drive?
answer: |
The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
- The computer's BIOS or UEFI firmware can't read USB flash drives
- The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled
- There are multiple USB flash drives inserted into the computer
@ -405,7 +405,7 @@ sections:
- The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment
- The startup key was removed before the computer finished rebooting
- The TPM has malfunctioned and fails to unseal the keys
- question: |
What can I do if the recovery key on my USB flash drive can't be read?
answer: |
@ -430,18 +430,18 @@ sections:
How do I "lock" a data drive?
answer: |
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the -lock command.
> [!NOTE]
> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
The syntax of this command is:
```cmd
manage-bde.exe <driveletter> -lock
````
Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
- question: |
Can I use BitLocker with the Volume Shadow Copy Service?
answer: |
@ -453,9 +453,9 @@ sections:
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
- With TPM: Yes, it's supported.
- Without TPM: Yes, it's supported (with password protector).
BitLocker is also supported on data volume VHDs, such as those used by clusters.
- question: |
Can I use BitLocker with virtual machines (VMs)?
answer: |

8
windows/security/operating-system-security/data-protection/bitlocker/images/powershell.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 16 KiB

2
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-warning-for-other-disk-encryption.md
View File

@ -15,7 +15,7 @@ With this policy you can disable all notification for encryption, warning prompt
This policy takes effect only if [Require device encryption](../configure.md?tabs=os#require-device-encryption) policy is enabled.
> [!WARNING]
> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
> When you enable BitLocker on a device with non-Microsoft encryption, it may render the device unusable and will require reinstallation of Windows.
The expected values for this policy are:

2
windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise.md
View File

@ -33,7 +33,7 @@ After you turn on this feature, your employees might experience reduced function
- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn't been excluded. In this situation, any fonts that aren't already available in the server's %windir%/Fonts folder won't be used.
- Printing using fonts provided by the installed printer's graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](/windows-hardware/drivers/print/introduction-to-printer-graphics-dlls).
- Using first or third-party apps that use memory-based fonts.
- Using first or non-Microsoft apps that use memory-based fonts.
- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.
- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.

4
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
View File

@ -28,7 +28,7 @@ Tunneling protocols:
## Universal Windows Platform VPN plug-in
Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
Using the UWP platform, non-Microsoft VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
@ -41,7 +41,7 @@ The following image shows connection options in a VPN Profile configuration poli
> [!div class="mx-imgBorder"]
> ![Available connection types.](images/vpn-connection-intune.png)
In Intune, you can also include custom XML for third-party plug-in profiles:
In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
> [!div class="mx-imgBorder"]
> ![Custom XML.](images/vpn-custom-xml-intune.png)

2
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
View File

@ -9,7 +9,7 @@ ms.topic: concept-article
## Hyper-V based containers and VPN
Windows supports different kinds of Hyper-V based containers, like Microsoft Defender Application Guard and Windows Sandbox. When you use a third party VPN solution, the Hyper-V based containers may not be able to seamlessly connect to the internet, and configuration changes may be needed to resolve connectivity issues.
Windows supports different kinds of Hyper-V based containers, like Microsoft Defender Application Guard and Windows Sandbox. When you use a non-Microsoft VPN solution, the Hyper-V based containers may not be able to seamlessly connect to the internet, and configuration changes may be needed to resolve connectivity issues.
For example, read about the workaround for Cisco AnyConnect VPN: [Cisco AnyConnect Secure Mobility Client Administrator Guide: Connectivity issues with VM-based subsystems](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f).

4
windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
View File

@ -1,6 +1,6 @@
---
title: Manage Windows Firewall with the command line
description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh.
description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh.
ms.topic: how-to
ms.date: 11/21/2023
---
@ -61,7 +61,7 @@ Disabling Windows Firewall can also cause problems, including:
- Activation of Windows via phone fails
- Application or OS incompatibilities that depend on Windows Firewall
Microsoft recommends disabling Windows Firewall only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
Microsoft recommends disabling Windows Firewall only when installing a non-Microsoft firewall, and resetting Windows Firewall back to defaults when the non-Microsoft software is disabled or removed.
If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
Stopping the Windows Firewall service isn't supported by Microsoft.
Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall that need to be disabled for compatibility.

4
windows/security/operating-system-security/network-security/windows-firewall/rules.md
View File

@ -44,7 +44,7 @@ When first installed, network applications and services issue a *listen call* sp
In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked.
> [!NOTE]
> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from non-Microsoft software should be determined by trusted app developers, the user, or the admin on behalf of the user.
### WDAC tagging policies
@ -52,7 +52,7 @@ Windows Firewall supports the use of Windows Defender Application Control (WDAC)
1. Deploy *WDAC AppId tagging policies*: a Windows Defender Application Control policy must be deployed, which specifies individual applications or groups of applications to apply a *PolicyAppId tag* to the process token(s). Then, the admin can define firewall rules that are scoped to all processes tagged with the matching *PolicyAppId*. For more information, see the [WDAC AppId tagging guide](../../../application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md) to create, deploy, and test an AppID policy to tag applications.
1. Configure firewall rules using *PolicyAppId tags* using one of the two methods:
- Using the [PolicyAppId node of the Firewall CSP](/windows/client-management/mdm/firewall-csp#mdmstorefirewallrulesfirewallrulenamepolicyappid) with an MDM solution like Microsoft Intune. If you use Microsoft Intune, you can deploy the rules from Microsoft Intune Admin center, under the path **Endpoint security** > **Firewall** > **Create policy** > **Windows 10, Windows 11, and Windows Server** > **Windows Firewall Rules**. When creating the rules, provide the *AppId tag* in the **Policy App ID** setting
- Using the [PolicyAppId node of the Firewall CSP](/windows/client-management/mdm/firewall-csp#mdmstorefirewallrulesfirewallrulenamepolicyappid) with an MDM solution like Microsoft Intune. If you use Microsoft Intune, you can deploy the rules from Microsoft Intune Admin center, under the path **Endpoint security** > **Firewall** > **Create policy** > **Windows 10, Windows 11, and Windows Server** > **Windows Firewall Rules**. When creating the rules, provide the *AppId tag* in the **Policy App ID** setting
- Create local firewall rules with PowerShell: use the [`New-NetFirewallRule`](/powershell/module/netsecurity/new-netfirewallrule) cmdlet and specify the `-PolicyAppId` parameter. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported
## Local policy merge and application rules

4
windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
View File

@ -611,9 +611,9 @@ Finally, resources can be protected by denying access to endpoints that are unab
Windows has an MDM client that ships as part of the operating system. This MDM client enables MDM servers to manage Windows-based devices without requiring a separate agent.
### Third-party MDM server support
### Non-Microsoft MDM server support
Third-party MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
Non-Microsoft MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
> [!NOTE]
> MDM servers do not need to create or download a client to manage Windows. For more information, see [Mobile device management](/windows/client-management/mdm/).

2
windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
View File

@ -7,7 +7,7 @@ ms.topic: article
# Firewall and network protection
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/index.md).
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other non-Microsoft firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/index.md).
This section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.