From 16c05daed9684ea290262edd92055debc69da9f9 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 29 Aug 2023 16:33:50 -0400 Subject: [PATCH] acrolinx --- .../passwordless-experience.md | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/windows/security/identity-protection/passwordless-experience.md b/windows/security/identity-protection/passwordless-experience.md index b2147a3048..00bfed447f 100644 --- a/windows/security/identity-protection/passwordless-experience.md +++ b/windows/security/identity-protection/passwordless-experience.md @@ -1,6 +1,6 @@ --- title: Passwordless experience -description: Learn how Passworless experience enables your organization to move away from passwords. +description: Learn how Passwordless experience enables your organization to move away from passwords. ms.collection: - highpri - tier1 @@ -19,16 +19,16 @@ we continue to invest in a journey towards passwordless. >[!NOTE] >Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope. -The policy affects only Entra ID accounts after they sign in to the device with stron credentials (Windows Hello for Business or FIDO2 security key). The policy does not affect the initial sign-in experience and local accounts. +The policy affects only Entra ID accounts after they sign in to the device with strong credentials (Windows Hello for Business or FIDO2 security key). The policy doesn't affect the initial sign-in experience and local accounts. Once the policy is set: -- Removes passwords from the user experience, both for device logon as well as in-session auth scenarios via CredUI -- Users will navigate through their core authentication scenarios (WHFB/FIDO2 security keys etc) +- Removes passwords from the user experience, both for device sign in and in-session auth scenarios via CredUI +- Users navigate through their core authentication scenarios (WHFB/FIDO2 security keys etc.) - If users are blocked, they can use a recovery mechanism such as PIN Reset or Web Sign-in -Starting in Windows 11, version 22H2 with [KB5030310](https://support.microsoft.com/kb/5030310), *Passwordless experience* is a security policy thatpromotes a passwordless user experience on Microsoft Entra joined devices. -Once enabled, Windows users can sign in to their devices using Windows Hello for Business or a FIDO2 security key only. This feature is available for Azure Active Directory (Azure AD) joined devices only. +Starting in Windows 11, version 22H2 with [KB5030310](https://support.microsoft.com/kb/5030310), *Passwordless experience* is a security policy that promotes a passwordless user experience on Microsoft Entra joined devices. +Once enabled, Windows users can sign in to their devices using Windows Hello for Business or a FIDO2 security key only. This article explains how to enable Passwordless experience and describes the user experience. ## Enable Passwordless experience with Intune @@ -70,7 +70,7 @@ Alternatively, you can configure devices using a [custom policy][INT-2] with the ### UAC prompt experience -Depending on [how UAC is configured][UAC-1], end-users will see different experiences when they need to elevate their privileges. +Depending on [how UAC is configured][UAC-1], end-users see different experiences when they need to elevate their privileges. :::row::: :::column span="2"::: @@ -82,7 +82,7 @@ Depending on [how UAC is configured][UAC-1], end-users will see different experi :::row-end::: :::row::: :::column span="2"::: - **Passwordless experience turned on**: UAC elevation prompts doesn't allow the user to use a password. + **Passwordless experience turned on**: UAC elevation prompts don't allow the user to use a password. :::column-end::: :::column span="2"::: :::image type="content" source="images/passwordless-experience/uac-on.png" lightbox="images/passwordless-experience/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only."::: @@ -112,8 +112,8 @@ Depending on [how UAC is configured][UAC-1], end-users will see different experi Once the EnablePasswordlessExperience policy is set: -- It removes passwords from the user experience, both for device logon as well as in-session auth scenarios via CredUI.  -- Users will navigate through their core authentication scenarios (WHFB/FIDO2 security keys, etc.) +- It removes passwords from the user experience, both for device logon and in-session auth scenarios via CredUI.  +- Users navigate through their core authentication scenarios (WHFB/FIDO2 security keys, etc.) - If users are blocked, they can use a recovery mechanism such as PIN Reset or Web Sign-in. (September Feature to improve recovery mechanisms) @@ -122,11 +122,11 @@ Once the EnablePasswordlessExperience policy is set: Q: What is the difference between the existing GP and the new policy? A: This new policy is a comprehensive policy for hiding passwords from Windows, compared to the existing GP -Q: What happens if a user cannot sign in with biomentrics and forgot their PIN? +Q: What happens if a user can't sign in with biometrics and forgot their PIN? A: The user can use the PIN Reset feature to reset their PIN. Once the PIN Reset feature is configured, a user can reset a PIN from the lock screen and the Settings app. Q: What's the difference between the group policy and the new policy? -A: The existing GP, once configured, disables passwords for "All accounts", so there is no strong recovery mechanism to get on the machine. RDP, RunAs, and in-session auth scenarios are not supported with this GP. The new policy hides passwords from in-session auth scenarios like Password Manager in a web browser, Run as administrator, etc. It also excludes *Other User* from the policy, so you can sign in from this account as a backup mechanism. +A: The existing GP, once configured, disables passwords for "All accounts", so there's no strong recovery mechanism to get on the machine. RDP, RunAs, and in-session auth scenarios aren't supported with this GP. The new policy hides passwords from in-session auth scenarios like Password Manager in a web browser, Run as administrator, etc. It also excludes *Other User* from the policy, so you can sign in from this account as a backup mechanism. ## Recover a passwordless credential @@ -134,16 +134,14 @@ This feature aims to improve: - Web Sign-in Infrastructure - On demand web-based experience for credential recovery - - Enable a web sign in policy : Cred provider primarily used as a bootstrap mechanism for enterprises [enablewebsignin][CSP-2]​ + - Enable a web sign in policy: Cred provider primarily used as a bootstrap mechanism for enterprises [enablewebsignin][CSP-2]​ - TAP is removed and is open to all Auth methods -​If a user failed to recover their credentials, then he/she is locked out of their account and won't be able to log back in until there is some strong recovery mechanism. This improvement includes a reliable UI experience when a user clicks on "I forgot my PIN", on the first click user will be redirected to MFA web app for authentication and can change the PIN seamlessly.​ If TPM fails, on demand recovery flow will pop in. This work moves the Web Sign-in infrastructure from the CHX WebApp to LWH​ - Scenarios: CTRL-ALT-DEL --> password change Settings > Accounts> Sign-in options RDP connection -Show password from the ones stored in Edge: doesn't allow to type password but only a WHFB unlock +Show password from the ones stored in Microsoft Edge: doesn't allow to type password but only a WHFB unlock Run as admin Run as different user Above PIN reset @@ -156,7 +154,7 @@ Example: When TPM is cleared out/something goes wrong, on demand web-based exper ## Sum up -2) Web experience for credential recovery +Web experience for credential recovery This new work moves the Web Sign-in infrastructure from the Cloud Host Experience (CHX) WebApp to the newly written Login Web Host (LWH) for the September moment. This now provides better security, reliability to support the existing as well as new workflows. We are using the same LWH infra previously built for EDU scenarios. This means, in addition to TAP, it is now opened to all AAD auth methods. PIN Reset flow is still the same, we have made some improvements, which include a reliable UI experience when a user clicks on "I forgot my PIN", on the first click, the user will be redirected to the MFA web app for authentication and can change the PIN seamlessly.