mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 21:33:38 +00:00
Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into security-book-24
This commit is contained in:
Paolo Matarazzo
@ -6,6 +6,7 @@ ms.topic: overview
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2025</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
|
||||
@ -6,6 +6,7 @@ ms.topic: concept-article
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2025</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
@ -230,27 +231,27 @@ The following table shows the Group Policy and registry settings that are used t
|
||||
1. In the details pane, right-click <**gpo\_name**>, and > **Edit**
|
||||
1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
|
||||
|
||||
- Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**
|
||||
- Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
|
||||
- Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
|
||||
- Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**
|
||||
- Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
|
||||
- Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
|
||||
|
||||
1. Ensure that the local account restrictions are applied to network interfaces by following these steps:
|
||||
|
||||
- Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
|
||||
- Right-click **Registry**, and > **New** > **Registry Item**
|
||||
- In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
|
||||
- Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
|
||||
- Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
|
||||
- In the **Value name** area, type `LocalAccountTokenFilterPolicy`
|
||||
- In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
|
||||
- In the **Value data** box, ensure that the value is set to **0**
|
||||
- Verify this configuration, and > **OK**
|
||||
- Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
|
||||
- Right-click **Registry**, and > **New** > **Registry Item**
|
||||
- In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
|
||||
- Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
|
||||
- Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
|
||||
- In the **Value name** area, type `LocalAccountTokenFilterPolicy`
|
||||
- In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
|
||||
- In the **Value data** box, ensure that the value is set to **0**
|
||||
- Verify this configuration, and > **OK**
|
||||
|
||||
1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
|
||||
|
||||
- Navigate to the `*Forest*\<Domains>\*Domain*\*OU*` path
|
||||
- Right-click the **Workstations > Link an existing GPO**
|
||||
- Select the GPO that you created, and > **OK**
|
||||
- Navigate to the `*Forest*\<Domains>\*Domain*\*OU*` path
|
||||
- Right-click the **Workstations > Link an existing GPO**
|
||||
- Select the GPO that you created, and > **OK**
|
||||
|
||||
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
|
||||
1. Create links to all other OUs that contain workstations
|
||||
@ -291,9 +292,9 @@ The following table shows the Group Policy settings that are used to deny networ
|
||||
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
|
||||
1. Link the GPO to the first **Workstations** OU as follows:
|
||||
|
||||
- Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path
|
||||
- Right-click the **Workstations** OU, and > **Link an existing GPO**
|
||||
- Select the GPO that you created, and > **OK**
|
||||
- Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path
|
||||
- Right-click the **Workstations** OU, and > **Link an existing GPO**
|
||||
- Select the GPO that you created, and > **OK**
|
||||
|
||||
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
|
||||
1. Create links to all other OUs that contain workstations
|
||||
|
||||
@ -11,9 +11,7 @@ This article describes how to configure Credential Guard using Microsoft Intune,
|
||||
|
||||
## Default enablement
|
||||
|
||||
[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
|
||||
|
||||
Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
|
||||
Starting in Windows 11, 22H2 and Windows Server 2025, Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
|
||||
|
||||
System administrators can explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values overwrite the default enablement state after a reboot.
|
||||
|
||||
|
||||
@ -11,13 +11,11 @@ Microsoft recommends that in addition to deploying Credential Guard, organizatio
|
||||
|
||||
## Upgrade considerations
|
||||
|
||||
[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
|
||||
|
||||
As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard might affect previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities.
|
||||
|
||||
It's advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
|
||||
|
||||
Upgrades to Windows 11, version 22H2, and Windows Server 2025 (preview) have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
|
||||
Upgrades to Windows 11, version 22H2, and Windows Server 2025 have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
|
||||
|
||||
## Wi-fi and VPN considerations
|
||||
|
||||
@ -120,25 +118,23 @@ Credential Guard blocks certain authentication capabilities. Applications that r
|
||||
|
||||
This article describes known issues when Credential Guard is enabled.
|
||||
|
||||
### Live migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview)
|
||||
### Live migration with Hyper-V breaks when upgrading to Windows Server 2025
|
||||
|
||||
[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
|
||||
|
||||
Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
|
||||
Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025. Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
|
||||
|
||||
||Description|
|
||||
|-|-|
|
||||
| **Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't domain controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
|
||||
| **Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025, [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't domain controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
|
||||
| **Cause of the issue**|Live Migration with Hyper-V, and applications and services that rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials. <br><br>If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration fails. In most cases, Credential Guard's enablement state on the destination machine won't impact Live Migration. Live Migration also fails in cluster scenarios (for example, SCVMM), since any device might act as a source machine.|
|
||||
| **Resolution**|Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.|
|
||||
|
||||
### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025 (preview)
|
||||
### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025
|
||||
|
||||
Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually reauthenticate in every new Windows session when Credential Guard is running.
|
||||
|
||||
||Description|
|
||||
|-|-|
|
||||
| **Affected devices**|Any device with Credential Guard enabled might encounter the issue. Starting in Windows 11, version 22H2, and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, and some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).<br><br>All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), receive default enablement.|
|
||||
| **Affected devices**|Any device with Credential Guard enabled might encounter the issue. Starting in Windows 11, version 22H2, and Windows Server 2025, eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, and some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).<br><br>All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), receive default enablement.|
|
||||
| **Cause of the issue**|Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:<br><br>- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)<br>- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)<br>- MS-CHAP (only SSO is blocked)<br>- WDigest (only SSO is blocked)<br>- NTLM v1 (only SSO is blocked) <br><br>**Note**: Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.|
|
||||
| **Resolution**|Microsoft recommends moving away from MSCHAPv2-based connections (for example, PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (for example, PEAP-TLS or EAP-TLS). Credential Guard doesn't block certificate-based authentication.<br><br>For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.|
|
||||
|
||||
@ -148,7 +144,7 @@ Devices that use 802.1x wireless or wired network, RDP, or VPN connections that
|
||||
> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
|
||||
|
||||
> [!NOTE]
|
||||
> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025 (preview)**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
|
||||
> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
|
||||
> If it's present, the device enables Credential Guard after the update.
|
||||
>
|
||||
> Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
|
||||
|
||||
@ -22,16 +22,14 @@ When enabled, Credential Guard provides the following benefits:
|
||||
|
||||
## Default enablement
|
||||
|
||||
[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
|
||||
|
||||
Starting in **Windows 11, 22H2** and **Windows Server 2025 (preview)**, VBS and Credential Guard are enabled by default on devices that meet the requirements.
|
||||
Starting in **Windows 11, 22H2** and **Windows Server 2025**, VBS and Credential Guard are enabled by default on devices that meet the requirements.
|
||||
|
||||
The default enablement is **without UEFI Lock**, thus allowing administrators to disable Credential Guard remotely if needed.
|
||||
|
||||
When Credential Guard is enabled, [VBS](#system-requirements) is automatically enabled too.
|
||||
|
||||
> [!NOTE]
|
||||
> If Credential Guard is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 (preview) or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
|
||||
> If Credential Guard is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
|
||||
|
||||
### Default enablement on Windows
|
||||
|
||||
@ -48,7 +46,7 @@ Devices running Windows 11, 22H2 or later have Credential Guard enabled by defau
|
||||
|
||||
### Default enablement on Windows Server
|
||||
|
||||
Devices running Windows Server 2025 (preview) or later have Credential Guard enabled by default if they:
|
||||
Devices running Windows Server 2025 or later have Credential Guard enabled by default if they:
|
||||
|
||||
- Meet the [license requirements](#windows-edition-and-licensing-requirements)
|
||||
- Meet the [hardware and software requirements](#system-requirements)
|
||||
|
||||
@ -41,13 +41,13 @@ If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the
|
||||
|
||||
When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object:
|
||||
|
||||
- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
|
||||
- Appears as a read only domain controller (RODC) object, but isn't associated with any physical servers
|
||||
- Is only used by Microsoft Entra ID to generate TGTs for the Active Directory domain
|
||||
|
||||
> [!NOTE]
|
||||
> Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust.
|
||||
|
||||
:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Screenshot of the Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server.":::
|
||||
:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Screenshot of the Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server." lightbox="images/azuread-kerberos-object.png":::
|
||||
|
||||
For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-cloud-kerberos-trust).
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 10/30/2024
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
ms.date: 12/08/2022
|
||||
ms.date: 10/30/2024
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Plan a Windows Hello for Business Deployment
|
||||
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
|
||||
ms.date: 05/16/2024
|
||||
ms.date: 10/30/2024
|
||||
ms.topic: concept-article
|
||||
---
|
||||
|
||||
@ -65,7 +65,7 @@ Windows Hello for Business authentication to Microsoft Entra ID always uses the
|
||||
|
||||
The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other.
|
||||
|
||||
The deployment of certificates to users and Domain Controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect.
|
||||
The deployment of certificates to users and domain controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect.
|
||||
|
||||
There are three trust types from which you can choose:
|
||||
|
||||
@ -264,12 +264,12 @@ All supported Windows versions can be used with Windows Hello for Business. Howe
|
||||
|
||||
### Windows Server requirements
|
||||
|
||||
All supported Windows Server versions can be used with Windows Hello for Business as Domain Controller. However, cloud Kerberos trust requires minimum versions:
|
||||
Windows Hello for Business can be used to authenticate against all supported Windows Server versions as a domain controller. However, cloud Kerberos trust requires minimum versions:
|
||||
|
||||
| | Deployment model | Trust type | Domain Controller OS version |
|
||||
| | Deployment model | Trust type | Domain controller OS version |
|
||||
|--|--|--|--|
|
||||
| **🔲** | **Cloud-only** | n/a | All supported versions |
|
||||
| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, with [KB3534307][KB-3] and later<br>- Windows Server 2019, with [KB4534321][KB-4] and later<br>- Windows Server 2022 |
|
||||
| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, with [KB3534307][KB-3] and later<br>- Windows Server 2019, with [KB4534321][KB-4] and later<br>- Windows Server 2022<br>- Windows Server 2025|
|
||||
| **🔲** | **Hybrid** | Key | All supported versions |
|
||||
| **🔲** | **Hybrid** | Certificate | All supported versions |
|
||||
| **🔲** | **On-premises** | Key | All supported versions |
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Passwordless strategy overview
|
||||
description: Learn about the passwordless strategy and how Windows security features help implementing it.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/29/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Passwordless strategy overview
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Deploy a passwordless replacement option
|
||||
description: Learn about how to deploy a passwordless replacement option, the first step of the Microsoft passwordless journey.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/29/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Deploy a passwordless replacement option
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Reduce the user-visible password surface area
|
||||
description: Learn about how to reduce the user-visible password surface area, the second step of the Microsoft passwordless journey.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/29/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Reduce the user-visible password surface area
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Transition into a passwordless deployment
|
||||
description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/29/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Transition into a passwordless deployment
|
||||
|
||||
@ -6,6 +6,7 @@ ms.date: 03/12/2024
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2025</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Smart Card and Remote Desktop Services
|
||||
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart Card and Remote Desktop Services
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Smart Card Architecture
|
||||
title: Smart Card Architecture
|
||||
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
|
||||
ms.topic: reference-architecture
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart Card Architecture
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Certificate propagation service
|
||||
title: Certificate propagation service
|
||||
description: Learn about the certificate propagation service (CertPropSvc), which is used in smart card implementation.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Certificate propagation service
|
||||
@ -19,7 +19,7 @@ The following figure shows the flow of the certificate propagation service. The
|
||||
1. The arrow labeled **2** indicates the certification to the reader
|
||||
1. The arrow labeled **3** indicates the access to the certificate store during the client session
|
||||
|
||||
|
||||
|
||||
|
||||
1. A signed-in user inserts a smart card
|
||||
1. CertPropSvc is notified that a smart card was inserted
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Certificate Requirements and Enumeration
|
||||
title: Certificate Requirements and Enumeration
|
||||
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Certificate Requirements and Enumeration
|
||||
@ -71,7 +71,8 @@ Following are the steps that are performed during a smart card sign-in:
|
||||
1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser
|
||||
1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
|
||||
|
||||
If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
|
||||
If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
|
||||
|
||||
If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
|
||||
|
||||
1. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Smart Card Troubleshooting
|
||||
title: Smart Card Troubleshooting
|
||||
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
|
||||
ms.topic: troubleshooting
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart Card Troubleshooting
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Smart card events
|
||||
title: Smart card events
|
||||
description: Learn about smart card deployment and development events.
|
||||
ms.topic: troubleshooting
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart card events
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Smart Card Group Policy and Registry Settings
|
||||
title: Smart Card Group Policy and Registry Settings
|
||||
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
|
||||
ms.topic: reference
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart Card Group Policy and Registry Settings
|
||||
@ -194,7 +194,7 @@ You can use this policy setting to configure which valid sign-in certificates ar
|
||||
> [!NOTE]
|
||||
> During the certificate renewal period, a user's smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
|
||||
>
|
||||
> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
|
||||
> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
|
||||
|
||||
When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: How Smart Card Sign-in Works in Windows
|
||||
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
|
||||
ms.topic: overview
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# How Smart Card Sign-in Works in Windows
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Smart Card Removal Policy Service
|
||||
title: Smart Card Removal Policy Service
|
||||
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart Card Removal Policy Service
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Smart Cards for Windows Service
|
||||
title: Smart Cards for Windows Service
|
||||
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
|
||||
ms.topic: concept-article
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart Cards for Windows Service
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Smart Card Tools and Settings
|
||||
title: Smart Card Tools and Settings
|
||||
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
|
||||
ms.topic: get-started
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart Card Tools and Settings
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Smart Card Technical Reference
|
||||
title: Smart Card Technical Reference
|
||||
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
|
||||
ms.topic: overview
|
||||
ms.date: 01/16/2024
|
||||
ms.date: 10/29/2024
|
||||
---
|
||||
|
||||
# Smart Card Technical Reference
|
||||
|
||||
Reference in New Issue
Block a user