deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 23:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #575 from MicrosoftDocs/FromPrivateRepo

Browse Source 
From private repo
This commit is contained in:
Alma Jenks 2018-03-20 13:54:40 -07:00 committed by GitHub
commit 13bdfdcc83
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 531 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
store-for-business/distribute-apps-from-your-private-store.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.localizationpriority: high
ms.date: 10/17/2017
ms.date: 3/19/2018
---
# Distribute apps using your private store
@ -47,6 +47,9 @@ Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps &
The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store.
>[!Note]
> If you are working with a new Line-of-Business (LOB) app, you have to wait for the app to be avilable in **Products & services** before adding it to your private store. For more information, see [Working with line of business apps](working-with-line-of-business-apps.md).
Employees can claim apps that admins added to the private store by doing the following.
**To claim an app from the private store**
@ -57,6 +60,7 @@ Employees can claim apps that admins added to the private store by doing the fol
## Related topics
- [Manage access to private store](manage-access-to-private-store.md)
- [Manage private store settings](manage-private-store-settings.md)
- [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store)
 

BIN
store-for-business/images/lob-workflow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

7
store-for-business/working-with-line-of-business-apps.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.localizationpriority: high
ms.date: 10/17/2017
ms.date: 3/19/2018
---
# Working with line-of-business apps
@ -38,8 +38,10 @@ You'll need to set up:
- LOB publishers need to have an active developer account. To learn more about account options, see [Ready to sign up](https://go.microsoft.com/fwlink/p/?LinkId=623432).
- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
The process and timing look like this:
![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer](images/lob-workflow.png)
## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
Admins need to invite developer or ISVs to become an LOB publisher.
**To invite a developer to become an LOB publisher**
@ -47,6 +49,7 @@ Admins need to invite developer or ISVs to become an LOB publisher.
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**.
3. On the Line-of business publishers page, click **Invite** to send an email invitation to a developer.
>[!Note]
> This needs to be the email address listed in contact info for the developer account.

9
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1658,6 +1658,15 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Connectivity/AllowPhonePCLinking</li>
<li>RestrictedGroups/ConfigureGroupMembership</li>
</ul>
<p>The following existing policies were updated:</p>
<ul>
<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML</li>
<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[Policy CSP - Bluetooth](policy-csp-bluetooth.md)</td>
<td style="vertical-align:top"><p>Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).</p>
</td></tr>
</tbody>
</table>

91
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -282,7 +282,7 @@ If this policy is not set or it is deleted, the default local radio name is used
<!--Description-->
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
The default value is an empty string.
The default value is an empty string. For more information, see [ServicesAllowedList usage guide](#servicesallowedlist-usage-guide)
<!--/Description-->
<!--/Policy-->
@ -297,6 +297,95 @@ Footnote:
<!--/Policies-->
## ServicesAllowedList usage guide
When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website.
These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
Here are some examples:
**Bluetooth Headsets for Voice (HFP)**
BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
|UUID name |Protocol specification |UUID |
|---------|---------|---------|
|HFP(Hands Free Profile) |Hands-Free Profile (HFP) * |0x111E |
Footnote: * Used as both Service Class Identifier and Profile Identifier.
Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
**Allow Audio Headsets only (Voice)**
|Profile |Reasoning |UUID |
|---------|---------|---------|
|HFP (Hands Free Profile) |For voice enabled headsets |0x111E |
|GAP (Generic Access Profile)* |Generic service used by Bluetooth |0x1800 |
|DID (Device ID)* |Generic service used by Bluetooth |0x180A |
|Scan Parameters* |Generic service used by Bluetooth |0x1813 |
Footnote: * *GAP, DID, and Scan Parameter are required, as these are underlying profiles and services used by all Bluetooth devices.
This means that if you only want Bluetooth headsets, the UUIDs are:
{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
**Allow Audio Headsets and Speakers (Voice & Music)**
|Profile |Reasoning |UUID |
|---------|---------|---------|
|HFP (Hands Free Profile) |For voice enabled headsets |0x111E |
|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110A |
|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 |
|Device ID (DID) |Generic service used by Bluetooth |0x180A |
|Scan Parameters |Generic service used by Bluetooth |0x1813 |
{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
**Classic Keyboards and Mice**
|Profile |Reasoning |UUID |
|---------|---------|---------|
|HID (Human Interface Device) |For classic BR/EDR keyboards and mice |0x1124 |
|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 |
|DID (Device ID) |Generic service used by Bluetooth |0x180A |
|Scan Parameters |Generic service used by Bluetooth |0x1813 |
{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
> [!Note]
> For both Classic and LE use a super set of the two formulas UUIDs
**LE Keyboards and Mice**
|Profile |Reasoning |UUID |
|---------|---------|---------|
|Generic Access Atribute |For the LE Protocol |0x1801 |
|HID Over GATT * |For LE keyboards and mice |0x1812 |
|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 |
|DID (Device ID) |Generic service used by Bluetooth |0x180A |
|Scan Parameters |Generic service used by Bluetooth |0x1813 |
Footnote: * The Surface pen uses the HID over GATT profile
{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
**Allow File Transfer**
|Profile |Reasoning |UUID |
|---------|---------|---------|
|OBEX Object Push (OPP) |For file transfer |0x1105 |
|Object Exchange (OBEX) |Protocol for file transfer |0x0008 |
|Generic Access Profile (GAP) |Generic service used by Bluetooth |0x1800 |
|Device ID (DID) |Generic service used by Bluetooth |0x180A |
|Scan Parameters |Generic service used by Bluetooth |0x1813 |
{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Bluetooth policies supported by Windows Holographic for Business

30
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -2129,6 +2129,11 @@ Value - A number indicating the zone with which this site should be associated f
If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
> [!Note]
> This policy is a list that contains the site and index value.
The list is a set of pairs of strings. Each string is seperated by F000. Each pair of string are stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -2145,6 +2150,31 @@ ADMX Info:
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--Example-->
```syntax
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList</LocURI>
</Target>
<Data>&lt;Enabled/&gt;&lt;Data id=&quot;IZ_ZonemapPrompt&quot; value=&quot;http://adfs.contoso.org&#xF000;1&#xF000;http://microsoft.com&#xF000;2&quot;/&gt;</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
```
Value and index pairs in the SyncML example:
- http://adfs.contoso.org 1
- http://microsoft.com 2
<!--/Example-->
<!--/Policy-->
<hr/>

72
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -54,6 +54,9 @@ ms.date: 03/12/2018
<dd>
<a href="#textinput-allowlanguagefeaturesuninstall">TextInput/AllowLanguageFeaturesUninstall</a>
</dd>
<dd>
<a href="#textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
</dd>
<dd>
<a href="#textinput-enabletouchkeyboardautoinvokeindesktopmode">TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</a>
</dd>
@ -218,7 +221,7 @@ The following list shows the supported values:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -237,20 +240,18 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
Most restricted value is 0.
In Windows 10, version 1803, we introduced new suggestion services in Japanese IME in addition to cloud suggestion. When AllowIMENetworkAccess is set to 1, all suggestion services are available as predictive input.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
- 1 (default) Allowed. In Windows 10, version 1803, suggestion services are also available in Japanese IME.
<!--/SupportedValues-->
<!--/Policy-->
@ -676,6 +677,65 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="textinput-allowlinguisticdatacollection"></a>**TextInput/AllowLinguisticDataCollection**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP name: *AllowLinguisticDataCollection*
- GP ADMX file name: *TextInput.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This setting supports a range of values between 0 and 1.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="textinput-enabletouchkeyboardautoinvokeindesktopmode"></a>**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode**

4
windows/deployment/update/device-health-get-started.md
View File

@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.date: 03/15/2018
ms.date: 03/20/2018
ms.pagetype: deploy
author: jaimeo
---
@ -72,7 +72,7 @@ Once you've added Update Compliance to Microsoft Operations Management Suite, yo
## Use Device Health to monitor frequency and causes of device crashes
Once your devices are enrolled, you can move on to [Use Device Health](device-health-using.md).
Once your devices are enrolled, you can move on to [Using Device Health](device-health-using.md).
## Related topics

BIN
windows/deployment/update/images/WA-data-flow-v1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

20
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/16/2018
ms.date: 03/20/2018
---
# Frequently asked questions and troubleshooting Windows Analytics
@ -25,7 +25,7 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
[Upgrade Readiness reports outdated updates](#upgrade-readiness-reports-outdated-updates)
[Upgrade Readiness reports incomplete inventory](#upgrade-readiness-reports-incomplete-inventory)
[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb)
[Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices)
@ -176,9 +176,23 @@ Windows Analytics is fully committed to privacy, centering on these tenets:
- **Security:** Your data is protected with strong security and encryption
- **Trust:** Windows Analytics supports the Microsoft Online Service Terms
The following illustration shows how diagnostic data flows from individual devices through the Diagnostic Data Service, Azure Log Analytics storage, and to your Log Analytics workspace:
[![Diagram illustrating flow of diagnostic data from devices](images/WA-data-flow-v1.png)](images/WA-data-flow-v1.png)
The data flow sequence is as follows:
1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US.
2. An IT administrator creates an Azure Log Analytics workspace. The administrator chooses the location, copies the Commercial ID (which identifies that workspace), and then pushes Commercial ID to devices they want to monitor. This is the mechanism that specifies which devices appear in which workspaces.
3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management service.
4. These snapshots are copied to transient storage which is used only by Windows Analytics (also hosted in US data centers) where they are segregated by Commercial ID.
5. The snapshots are then copied to the appropriate Azure Log Analytics workspace.
6. If the IT administrator is using the Upgrade Readiness solution, user input from the IT administrator (specifically, the target operating system release and the importance and upgrade readiness per app) is stored in the Windows Analytics Azure Storage. (Upgrade Readiness is the only Windows Analytics solution that takes such user input.)
See these topics for additional background information about related privacy issues:
- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windowsconfiguration/configure-windows-diagnostic-data-in-your-organization)
- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file)
- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields)

6
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.date: 03/18/2018
ms.date: 03/20/2018
---
# Get started with Upgrade Readiness
@ -30,7 +30,7 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
## Data collection and privacy
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md), which discusses the issues and provides links to still more detailed information.
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information.
## Add Upgrade Readiness to Operations Management Suite
@ -54,7 +54,7 @@ If you are not using OMS:
## Enroll devices in Windows Analytics
Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started.md).
Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started).

290
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md Normal file
View File

@ -0,0 +1,290 @@
---
title: Multifactor Unlock
description: Multifactor Unlock
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 03/20/2018
---
# Multifactor Unlock
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Hybird Azure AD joined (Hybrid deployments)
* Domain Joined (on-premises deployments)
* Windows 10, version 1709
* Bluetooth, Bluetooth capable phone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
Which organizations can take advanage of Multifactor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
* Want to prevent Information Workers from sharing credentials.
* Want their orgs to comply with regulatory two-factor authentication policy.
* Want to retain the familiar Windows logon UX and not settle for a custom solution.
You enable multifactor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
## The Basics: How it works
First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration. Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
The policy setting has three components:
* First unlock factor credential provider
* Second unlock factor credential provider
* Signal rules for device unlock
## Configuring Unlock Factors
The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers.
Supported credential providers include:
|Credential Provider| GUID|
|:------------------|:----|
|PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}|
|Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}|
|Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}|
|Trusted Signal<br>(Phone proximity, Network location) | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
>[!NOTE]
>Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
The default credential providers for the **First unlock factor credential provider** include:
* PIN
* Fingerprint
* Facial Recongition
The default credential providers for the **Second unlock factor credential provider** include:
* Trusted Signal
* PIN
Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, remember that a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers do not need to be in any specific order.
For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor. However, whichever factor they used to satisfy the first unlock factor cannot be used to satisfy the second unlock factor. Each factor can therefore be used exactly once. The Trusted Signal provider can *only* be specified as part of the Second unlock factor credential provider list.
## Configure Signal Rules for the Trusted Signal Credential Provider
The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
### Rule element
You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported scheam version is 1.0.<br>
**Example**
```
<rule schemaVersion="1.0">
</rule>
```
### Signal element
Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.<br>
|Attribute|Value|
|---------|-----|
| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)|
#### Bluetooth
You define the bluetooth signal with additional attribute in the signal elment. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
|Attribute|Value|Required|
|---------|-----|--------|
|type|"bluetooth"|yes|
|scenario|"Authentication"|yes|
|classOfDevice|"*number*"|no|
|rssiMin|"*number*"|no|
|rssiMaxDelta|"*number*"|no|
Example:
```
<rule schemaVersion="1.0">
<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
</rule>
```
The **classofDevice** attribute defaults Phones and uses the values from the following table
|Description|Value|
|:-------------|:-------:|
|Miscellaneous|0|
|Computer|256|
|Phone|512|
|LAN/Network Access Point|768|
|Audio/Video|1024|
|Peripheral|1280|
|Imaging|1536|
|Wearable|1792|
|Toy|2048|
|Health|2304|
|Uncategorized|7936|
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
>[!IMPORTANT]
>Microsoft recommends using the default values for this policy settings. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values.
#### IP Configuration
You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements.
##### IPv4Prefix
The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.<br>
**Example**
```
<ipv4Prefix>192.168.100.0/24</ipv4Prefix>
```
The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration.
##### IPv4Gateway
The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.<br>
**Example**
```
<ipv4Gateway>192.168.100.10</ipv4Gateway>
```
##### IPv4DhcpServer
The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.<br>
**Example**
```
<ipv4DhcpServer>192.168.100.10</ipv4DhcpServer>
```
##### IPv4DnsServer
The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.<br>
**Example:**
```
<ipv4DnsServer>192.168.100.10</ipv4DnsServer>
```
##### IPv6Prefix
The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.<br>
**Example**
```
<ipv6Prefix>21DA:D3::/48</ipv6Prefix>
```
##### IPv6Gateway
The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.<br>
**Example**
```
<ipv6Gateway>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6Gateway>
```
##### IPv6DhcpServer
The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.<br>
**Example**
```
<ipv6DhcpServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DhcpServer
```
##### IPv6DnsServer
The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements.<br>
**Example**
```
<ipv6DnsServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DnsServer>
```
##### dnsSuffix
The fully qualified domain name of your organizations internal dns suffix where any part of the fully qualified domain name in this setting exists in the computer's primary dns suffix. The **signal** element may contain one or more **dnsSuffix** elements.<br>
**Example**
```
<dnsSuffix>corp.contoso.com</dnsSuffix>
```
### Sample Trusted Signal Congfigurations
These examples are wrapped for readability. Once properly formatted, the entire XML contents must be a single line.
#### Example 1
This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements.
```
<rule schemaVersion="1.0">
<signal type="ipConfig">
<ipv4Prefix>10.10.10.0/24</ipv4Prefix>
<ipv4DnsServer>10.10.0.1</ipv4DnsServer>
<ipv4DnsServer>10.10.0.2</ipv4DnsServer>
<dnsSuffix>corp.contoso.com</dnsSuffix>
</signal>
</rule>
```
#### Example 2
This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. This configuration is wrapped for reading. Once properly formatted, the entire XML contents must be a single line. This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
>[!NOTE]
>Separate each rule element using a comma.
```
<rule schemaVersion="1.0">
<signal type="ipConfig">
<dnsSuffix>corp.contoso.com</dnsSuffix>
</signal>
</rule>,
<rule schemaVersion="1.0">
<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
</rule>
```
#### Example 3
This example configures the same as example 2 using compounding And elements. This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
```
<rule schemaVersion="1.0">
<and>
<signal type="ipConfig">
<dnsSuffix>corp.microsoft.com</dnsSuffix>
</signal>
<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
</and>
</rule>
```
## Deploying Multifactor Unlock
>[!IMPORTANT]
>You need to remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
### How to configure Multifactor Unlock policy settings
You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes muiltifactor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
### Create the Multifactor Unlock Group Policy object
The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
>[!IMPORTANT]
> * PIN **must** be in at least one of the groups
> * Trusted signals **must** be combined with another credential provider
> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click **Group Policy object** and select **New**.
4. Type *Multifactor Unlock* in the name box and click **OK**.
5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.<br>
![Group Policy Editor](images/multifactorUnlock/gpme.png)
8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.<br>
![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section.
10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section.
11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
## Troubleshooting
Mulitfactor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
### Events
|Event ID|Details|
|:------:|:------|
|3520|Unlock attempt initiated|
|5520|Unlock policy not configured|
|6520|Warning event|
|7520|Error event|
|8520|Success event|

7
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -346,13 +346,6 @@ Sign-in the AD FS server with Domain Admin equivalent credentials.
```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
```
The `Set-AdfsCertificateAuthority` cmdlet may show the following warning:
>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.
This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. Its important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.

10
windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
View File

@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
ms.localizationpriority: high
ms.author: daniha
ms.date: 07/27/2017
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 03/5/2018
---
# Configure or Deploy Multifactor Authentication Services
@ -523,7 +523,7 @@ Before you continue with the deployment, validate your deployment progress by re
* Confirm you saved the changes to the web.config file.
* Confirm you restarted the AD FS Service after completing the configuration.
## Test AD FS with the Multifactor Authentication connector
## Test Multifactor Authentication
Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete.

76
windows/security/identity-protection/hello-for-business/hello-features.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 12/04/2017
ms.date: 3/5/2018
---
# Windows Hello for Business Features
@ -20,7 +20,6 @@ Consider these additional features you can use after your organization deploys W
* [Dynamic lock](#dynamic-lock)
* [PIN reset](#pin-reset)
* [Privileged credentials](#privileged-credentials)
* [Mulitfactor Unlock](#multifactor-unlock)
## Conditional access
@ -154,76 +153,3 @@ The privileged credentials scenario enables administrators to perform elevated,
By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices.
With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads.
## Multifactor Unlock
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Hybird Azure AD joined (Hybrid deployments)
* Domain Joined (on-premises deployments)
* Windows 10, version 1709
* Bluetooth, Bluetooth capable smartphone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
Which organizations can take advanage of Multifactor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
* Want to prevent Information Workers from sharing credentials.
* Want their orgs to comply with regulatory two-factor authentication policy.
* Want to retain the familiar Windows logon UX and not settle for a custom solution.
>[!IMPORTANT]
>Once the you deploy multifactor unlock policies, users are not be able to unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
You enable multifactor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
The policy setting has three components:
* First unlock factor credential provider
* Second unlock factor credential provider
* Signal rules for device unlock
### The Basics: How it works
First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration. Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
The credenital providers included in the default policy settings are:
|Credential Provider| GUID|
|:------------------|:----:|
|PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}|
|Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}|
|Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}|
|Trusted Signal | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
The default credential providers for the **First unlock factor credential provider** include:
* PIN
* Fingerprint
* Facial Recongition
The default credential providers for the **Second unlock factor credential provider** include:
* Trusted Signal
* PIN
The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
The default signal rules for the policy setting include the proximity of any paired bluetooth smartphone.
To successfully reach their desktop, the user must satisfy one credential provider from each category. The order in which the user satisfies each credential provider does not matter. Therefore, using the default policy setting a user can provide:
* PIN and Fingerprint
* PIN and Facial Recognition
* Fingerprint and PIN
* Facial Recognition and Trusted Signal (bluetooth paired smartphone)
>[!IMPORTANT]
> * PIN **must** be in at least one of the groups
> * Trusted signals **must** be combined with another credential provider
> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can be used to satisfy either category, but not both.

5
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 10/23/2017
ms.date: 02/23/2018
---
# Configure Device Registration for Hybrid Windows Hello for Business
@ -495,8 +495,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
![Device Registration](images/hybridct/device8.png)
- object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration
- Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- read/write access to the specified AD connector account name on the new object
- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- object of type msDS-DeviceRegistrationService in the above container

3
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -71,6 +71,9 @@ The table shows the minimum requirements for each deployment.
## Frequently Asked Questions
### Can I deploy Windows Hello for Business using System Center Configuration Manager?
Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deploymnet model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager wil no long be supported after November 2018.
### What is the password-less strategy?
Watch Senior Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**

BIN
windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 112 KiB

1
windows/security/identity-protection/hello-for-business/toc.md
View File

@ -44,3 +44,4 @@
#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
## [Windows Hello for Business Features](hello-features.md)
### [Multifactor Unlock](feature-multifactor-unlock.md)