deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

merging master and resolving merge conflicts

Browse Source
This commit is contained in:
Brian Lich
2016-05-12 09:58:13 -07:00
parent 8e01486bf3 dab19e85b3
commit 0c72a894da
8 changed files with 90 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -15,6 +15,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|New or changed topic | Description |
|----------------------|-------------|
| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
## April 2016

53
windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
View File

@ -20,17 +20,13 @@ The following image shows an example of an error during **Create a work PIN**.
## Error mitigations
When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
1. Try to create the PIN again. Some errors are transient and resolve themselves.
2. Log out, log in, and try to create the PIN again.
2. Sign out, sign in, and try to create the PIN again.
3. Reboot the device and then try to create the PIN again.
4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** > **System** > **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](http://go.microsoft.com/fwlink/p/?LinkId=715697).
5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](http://go.microsoft.com/fwlink/p/?LinkId=715697).
If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Hex</th>
@ -39,20 +35,13 @@ If the error occurs again, check the error code against the following table to s
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">0x801C03ED</td>
<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
<p>-or-</p>
<p>Token was not found in the Authorization header</p>
<p>-or-</p>
<p>Failed to read one or more objects</p></td>
<td align="left">Unjoin the device from Azure Active Directory (Azure AD) and rejoin</td>
</tr>
<tr class="even">
<td align="left">0x801C044D</td>
<td align="left">Authorization token does not contain device ID</td>
<td align="left">Unjoin the device from Azure AD and rejoin</td>
</tr>
<tr class="odd">
<td align="left">0x80090036</td>
<td align="left">User cancelled an interactive dialog</td>
@ -77,6 +66,10 @@ If the error occurs again, check the error code against the following table to s
<td align="left">0x80090005</td>
<td align="left">NTE_BAD_DATA</td>
<td align="left">Unjoin the device from Azure AD and rejoin</td>
</tr><tr class="even">
<td align="left">0x80090029</td>
<td align="left">TPM is not set up.</td>
<td align="left">Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. </td>
</tr>
<tr class="even">
<td align="left">0x80090031</td>
@ -106,17 +99,17 @@ If the error occurs again, check the error code against the following table to s
<tr class="odd">
<td align="left">0x801C0010</td>
<td align="left">The AIK certificate is not valid or trusted</td>
<td align="left">Log out and then log in again.</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="even">
<td align="left">0x801C0011</td>
<td align="left">The attestation statement of the transport key is invalid</td>
<td align="left">Log out and then log in again.</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="odd">
<td align="left">0x801C0012</td>
<td align="left">Discovery request is not in a valid format</td>
<td align="left">Log out and then log in again.</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="even">
<td align="left">0x801C0015</td>
@ -141,7 +134,7 @@ If the error occurs again, check the error code against the following table to s
<tr class="even">
<td align="left">0x801C03E9</td>
<td align="left">Server response message is invalid</td>
<td align="left">Log out and then log in again.</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="odd">
<td align="left">0x801C03EA</td>
@ -151,37 +144,42 @@ If the error occurs again, check the error code against the following table to s
<tr class="even">
<td align="left">0x801C03EB</td>
<td align="left">Server response http status is not valid</td>
<td align="left">Log out and then log in again.</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="odd">
<td align="left">0x801C03EC</td>
<td align="left">Unhandled exception from server.</td>
<td align="left">Log out and then log in again.</td>
<td align="left">sign out and then sign in again.</td>
</tr>
<tr class="even">
<td align="left">0x801C03ED</td>
<td align="left">The request sent to the server was invalid.</td>
<td align="left">Log out and then log in again.</td>
<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
<p>-or-</p>
<p>Token was not found in the Authorization header</p>
<p>-or-</p>
<p>Failed to read one or more objects</p>
<p>-or-</p><p>The request sent to the server was invalid.</p></td>
<td align="left">Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.</td>
</tr>
<tr class="odd">
<td align="left">0x801C03EE</td>
<td align="left">Attestation failed</td>
<td align="left">Log out and then log in again.</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="even">
<td align="left">0x801C03EF</td>
<td align="left">The AIK certificate is no longer valid</td>
<td align="left">Log out and then log in again.</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="odd">
<td align="left">0x801C044D</td>
<td align="left">Unable to obtain user token</td>
<td align="left">Log out and then log in again. Check network and credentials.</td>
<td align="left">Sign out and then sign in again. Check network and credentials.</td>
</tr>
<tr class="even">
<td align="left">0x801C044E</td>
<td align="left">Failed to receive user creds input</td>
<td align="left">Log out and then log in again.</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
</tbody>
</table>
@ -191,6 +189,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| Hex | Cause |
|-------------|-------------------------------------------------------------------------------------------------------|
| 0x80072f0c | Unknown |
| 0x80070057 | Invalid parameter or argument is passed |
| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
| 0x8009002D | NTE\_INTERNAL\_ERROR |
| 0x80090020 | NTE\_FAIL |

22
windows/keep-secure/microsoft-passport-guide.md
View File

@ -5,6 +5,7 @@ ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84
ms.pagetype: security
keywords: ["security", "credential", "password", "authentication"]
ms.prod: W10
ms.pagetype: security
ms.mktglfcycl: plan
ms.sitesec: library
author: challum
@ -226,7 +227,8 @@ Table 1. Deployment requirements for Microsoft Passport
</tbody>
</table>
 
Note that the current release of Windows 10 supports the Azure ADonly scenarios. Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
Note that the current release of Windows 10 supports the Azure ADonly (RTM) and hybrid scenarios (RTM + November Update). Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
**Select policy settings**
Another key aspect of Microsoft Passport for Work deployment involves the choice of which policy settings to apply to the enterprise. There are two parts to this choice: which policies you deploy to manage Microsoft Passport itself and which policies you deploy to control device management and registration. A complete guide to selecting effective policies is beyond the scope of this guide, but one example reference that may be useful is [Mobile device management capabilities in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733877).
## Implement Microsoft Passport
@ -255,12 +257,30 @@ In the Windows 10 initial release, Microsoft supports the following Microsoft P
- Facial-recognition capability on devices that have compatible IR-capable cameras
- Microsoft Passport for personal credentials on individually owned and corporate-managed devices
- Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments
<<<<<<< HEAD
- Group Policy settings to control Microsoft Passport PIN length and complexity
In future releases of Windows 10, we plan to add support for additional features:
- Additional biometric identifier types, including iris recognition
- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
- TPM attestation to protect keys so that a malicious user or program cant create keys in software (because those keys wont be TPM attested and can thus be identified as fake)
=======
- Group Policy and MDM settings to control Microsoft Passport PIN length and complexity
In the November 2015 release, Microsoft supports the following Microsoft Passport and Windows Hello features:
- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
In future releases of Windows 10, we plan to add support for additional features:
- Key-based and certificate-based Microsoft Passport for Work credentials for on-premises AD deployments
- TPM attestation to protect keys so that a malicious user or program cant create keys in software (because those keys wont be TPM attested and can thus be identified as fake)
>>>>>>> master
In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers.