deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-csp-applicability

Browse Source
This commit is contained in:
Vinay Pamnani 2024-07-08 14:02:50 -06:00 committed by GitHub
commit 170876e546
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
60 changed files with 223 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.openpublishing.redirection.windows-whats-new.json
View File

@ -159,11 +159,21 @@
"source_path":"windows/whats-new/whats-new-windows-10-version-20H2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-20H2",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1",
"redirect_document_id":false
}
]
}
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-21H2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H2",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/ltsc/index.yml",
"redirect_url":"/windows/whats-new/",
"redirect_document_id":false
}
]
}

4
windows/deployment/update/waas-quick-start.md
View File

@ -1,5 +1,5 @@
---
title: Quick guide to Windows as a service (Windows 10)
title: Quick guide to Windows as a service
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
ms.service: windows-client
ms.subservice: itpro-updates
@ -16,7 +16,7 @@ ms.date: 12/31/2017
# Quick guide to Windows as a service
Here's a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
Here's a quick guide to the most important concepts in Windows as a service.
## Definitions

1
windows/deployment/update/waas-restart.md
View File

@ -209,7 +209,6 @@ There are three different registry combinations for controlling restart behavior
## More resources
- [Update Windows in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows updates](waas-branchcache.md)

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
View File

@ -1,7 +1,7 @@
---
title: Add and verify admin contacts
description: This article explains how to add and verify admin contacts
ms.date: 09/15/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
View File

@ -1,7 +1,7 @@
---
title: Manage Windows Autopatch groups
description: This article explains how to manage Autopatch groups
ms.date: 12/13/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows Autopatch groups overview
description: This article explains what Autopatch groups are
ms.date: 07/20/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
View File

@ -1,7 +1,7 @@
---
title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch
ms.date: 09/16/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-customize-windows-update-settings.md
View File

@ -1,7 +1,7 @@
---
title: Customize Windows Update settings Autopatch groups experience
description: How to customize Windows Updates with Autopatch groups
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
View File

@ -1,7 +1,7 @@
---
title: Device alerts
description: Provide notifications and information about the necessary steps to keep your devices up to date.
ms.date: 08/01/2023
ms.date: 07/08/2023
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
View File

@ -1,7 +1,7 @@
---
title: Exclude a device
description: This article explains how to exclude a device from the Windows Autopatch service
ms.date: 08/08/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
View File

@ -1,7 +1,7 @@
---
title: Software update management for Autopatch groups
description: This article provides an overview of how updates are handled with Autopatch groups
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: overview

2
windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
View File

@ -1,7 +1,7 @@
---
title: Manage driver and firmware updates
description: This article explains how you can manage driver and firmware updates with Windows Autopatch
ms.date: 08/22/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-manage-windows-feature-update-releases.md
View File

@ -1,7 +1,7 @@
---
title: Manage Windows feature update releases
description: This article explains how you can manage Windows feature updates with Autopatch groups
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
View File

@ -1,7 +1,7 @@
---
title: policy health and remediation
description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Unenroll your tenant
description: This article explains what unenrollment means for your organization and what actions you must take.
ms.date: 08/08/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed with Autopatch groups
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Feature update status report
description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-trending-report.md
View File

@ -1,7 +1,7 @@
---
title: Feature update trending report
description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

6
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update communications for Autopatch groups
description: This article explains Windows quality update communications for Autopatch groups
ms.date: 07/25/2023
title: Windows quality update communications
description: This article explains Windows quality update communications
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

6
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update end user experience for Autopatch groups
description: This article explains the Windows quality update end user experience using the Autopatch groups exp
ms.date: 07/25/2023
title: Windows quality update end user experience
description: This article explains the Windows quality update end user experience
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
View File

@ -1,6 +1,6 @@
---
title: Windows quality updates overview with Autopatch groups experience
description: This article explains how Windows quality updates are managed with Autopatch groups
description: This article explains how Windows quality updates are managed with Autopatch
ms.date: 05/24/2024
ms.service: windows-client
ms.subservice: itpro-updates

6
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update release signals with Autopatch groups
description: This article explains the Windows quality update release signals with Autopatch groups
ms.date: 07/25/2023
title: Windows quality update release signals
description: This article explains the Windows quality update release signals
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

4
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Quality update status report
description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups.
ms.date: 07/25/2023
description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
View File

@ -1,6 +1,6 @@
---
title: Windows quality update summary dashboard
description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups
description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch
ms.date: 01/22/2024
ms.service: windows-client
ms.subservice: itpro-updates

4
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-trending-report.md
View File

@ -1,7 +1,7 @@
---
title: Quality update trending report
description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
ms.date: 09/01/2023
description: Provides a visual representation of the update status trend for all devices over the last 90 days.
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
View File

@ -1,7 +1,7 @@
---
title: Windows Autopatch deployment guide
description: This guide explains how to successfully deploy Windows Autopatch in your environment
ms.date: 08/24/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.service: windows-client
ms.topic: faq
ms.date: 12/04/2023
ms.date: 07/08/2024
audience: itpro
ms.localizationpriority: medium
manager: aaroncz

2
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 08/08/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
View File

@ -1,7 +1,7 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 09/13/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: reference

2
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
ms.date: 08/31/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
View File

@ -1,7 +1,7 @@
---
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 09/15/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Enroll your tenant
description: This article details how to enroll your tenant
ms.date: 09/15/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
View File

@ -1,7 +1,7 @@
---
title: Submit a tenant enrollment support request
description: This article details how to submit a tenant enrollment support request
ms.date: 09/13/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -1,7 +1,7 @@
---
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool.
ms.date: 09/12/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
View File

@ -1,7 +1,7 @@
---
title: Conflicting configurations
description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service.
ms.date: 09/05/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
View File

@ -1,7 +1,7 @@
---
title: Driver and firmware updates for Windows Autopatch Public Preview Addendum
description: This article explains how driver and firmware updates are managed in Autopatch
ms.date: 06/26/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft 365 Apps for enterprise update policies
description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
ms.date: 06/23/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
View File

@ -1,7 +1,7 @@
---
title: Windows update policies
description: This article explains Windows update policies in Windows Autopatch
ms.date: 09/02/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-subscription-activation.md
View File

@ -135,7 +135,7 @@ With Windows Enterprise or Education editions, an organization can benefit from
To compare Windows editions and review pricing, see the following sites:
- [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro) <!-- Leaving in language reference in URL because URL without it doesn't redirect properly>
- [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro) <!-- Leaving in language reference in URL because URL without it doesn't redirect properly-->
- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
Benefits of moving to Windows as an online service include:

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
View File

@ -37,7 +37,7 @@ Use the following instructions to configure your devices using either Microsoft
Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template.
The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
The process requires no user interaction, provided the user signs in using Windows Hello for Business. The certificate is renewed in the background before it expires.
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
@ -135,6 +135,6 @@ To better understand the authentication flows, review the following sequence dia
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/configuration/custom-settings-configure

8
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
View File

@ -34,7 +34,7 @@ ms.topic: tutorial
## Federated authentication to Microsoft Entra ID
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices.
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Microsoft Entra registered devices.
If you're new to AD FS and federation services:
@ -82,9 +82,9 @@ During Windows Hello for Business provisioning, users receive a sign-in certific
> [Next: configure and validate the Public Key Infrastructure >](hybrid-cert-trust-pki.md)
<!--links-->
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
[AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains
[AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual
[AZ-8]: /entra/identity/devices/hybrid-join-plan
[AZ-10]: /entra/identity/devices/how-to-hybrid-join#federated-domains
[AZ-11]: /entra/identity/devices/hybrid-join-manual
[SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
[SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -202,7 +202,7 @@ The following scenarios aren't supported using Windows Hello for Business cloud
<!--Links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
[MEM-1]: /mem/intune/configuration/custom-settings-configure

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
View File

@ -108,7 +108,7 @@ To better understand the authentication flows, review the following sequence dia
- [Microsoft Entra join authentication to Active Directory using a key](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-key)
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[AZ-5]: /entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/configuration/custom-settings-configure

13
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -146,7 +146,9 @@ The goal of Windows Hello for Business is to move organizations away from passwo
- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from non-Microsoft options that offer an AD FS MFA adapter. For more information, see [Microsoft and non-Microsoft additional authentication methods][SER-2]
> [!IMPORTANT]
> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2].
> Beginning July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication.
>
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
|| Deployment model | MFA options |
|--|--|--|
@ -159,7 +161,6 @@ The goal of Windows Hello for Business is to move organizations away from passwo
For more information:
- [Configure Microsoft Entra multifactor authentication settings][ENTRA-4]
- [Configure Azure MFA as authentication provider with AD FS][SER-1]
- [Manage an external authentication method in Microsoft Entra ID][ENTRA-11]
#### MFA and federated authentication
@ -205,6 +206,9 @@ Hybrid and on-premises deployments use directory synchronization, however, each
| **Hybrid** | Microsoft Entra Connect Sync|
| **On-premises** | Azure MFA server |
> [!IMPORTANT]
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
## Device configuration options
Windows Hello for Business provides a rich set of granular policy settings. There are two main options to configure Windows Hello for Business: configuration service provider (CSP) and group policy (GPO).
@ -240,6 +244,9 @@ Here are some considerations regarding licensing requirements for cloud services
| **🔲** | **On-premises** | Key | Azure MFA, if used as MFA solution |
| **🔲** | **On-premises** | Certificate | Azure MFA, if used as MFA solution |
> [!IMPORTANT]
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
## Operating System requirements
### Windows requirements
@ -291,7 +298,6 @@ Now that you've read about the different deployment options and requirements, yo
<!--links-->
[ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks
[ENTRA-2]: /entra/identity/authentication/howto-mfaserver-deploy
[ENTRA-3]: /entra/identity/hybrid/connect/how-to-connect-sync-whatis
[ENTRA-4]: /entra/identity/authentication/howto-mfa-mfasettings
[ENTRA-5]: /entra/identity/devices/hybrid-join-plan
@ -302,7 +308,6 @@ Now that you've read about the different deployment options and requirements, yo
[ENTRA-10]: /entra/identity/hybrid/connect/whatis-fed
[ENTRA-11]: /entra/identity/authentication/how-to-authentication-external-method-manage
[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
[SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods
[KB-1]: https://support.microsoft.com/topic/5010415

4
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
View File

@ -37,7 +37,7 @@ Follow the instructions below to configure your devices using either Microsoft I
Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template.
The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
The process requires no user interaction, provided the user signs in using Windows Hello for Business. The certificate is renewed in the background before it expires.
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
@ -86,4 +86,4 @@ To better understand the provisioning flows, review the following sequence diagr
- [Provisioning in an on-premises certificate trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-certificate-trust-deployment-model)
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
View File

@ -62,4 +62,4 @@ To better understand the provisioning flows, review the following sequence diagr
- [Provisioning in an on-premises key trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-key-trust-deployment-model)
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd

8
windows/security/identity-protection/hello-for-business/faq.yml
View File

@ -150,7 +150,7 @@ sections:
It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
For more information, see [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
For more information, see [Microsoft Entra registered devices](/entra/identity/devices/concept-device-registration).
- question: Does Windows Hello for Business work with non-Windows operating systems?
answer: |
Windows Hello for Business is a feature of the Windows platform.
@ -162,7 +162,7 @@ sections:
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
> [!NOTE]
> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/entra/identity/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
@ -203,7 +203,7 @@ sections:
questions:
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
@ -213,7 +213,7 @@ sections:
- question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
- a user signs-in for the first time or unlocks with Windows Hello for Business after provisioning
- a user signs in for the first time or unlocks with Windows Hello for Business after provisioning
- attempting to access on-premises resources secured by Active Directory
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |

4
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -15,7 +15,7 @@ PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to
### Identify PIN Reset allowed domains issue
The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
In federated environments, authentication may be configured to route to AD FS or a non-Microsoft identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
@ -23,7 +23,7 @@ If you're a customer of *Azure US Government* cloud, PIN reset also attempts to
### Resolve PIN Reset allowed domains issue
To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Microsoft Entra joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices).
To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Microsoft Entra joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-microsoft-entra-joined-devices).
## Hybrid key trust sign in broken due to user public key deletion

4
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -40,7 +40,7 @@ If the error occurs again, check the error code against the following table to s
| 0x80090035 | Policy requires TPM and the device doesn't have TPM. | Change the Windows Hello for Business policy to not require a TPM. |
| 0x80090036 | User canceled an interactive dialog. | User is asked to try again. |
| 0x801C0003 | User isn't authorized to enroll. | Check if the user has permission to perform the operation. |
| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/entra/identity/devices/manage-device-identities). |
| 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. |
| 0x801C0010 | The AIK certificate isn't valid or trusted. | Sign out and then sign in again. |
| 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. |
@ -53,7 +53,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
| 0x801C03EB | Server response http status isn't valid | Sign out and then sign in again. |
| 0x801C03EC | Unhandled exception from server. | sign out and then sign in again. |
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but wasn't performed. <br><br> -or- <br><br> Token wasn't found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User doesn't have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. |
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but wasn't performed. <br><br> -or- <br><br> Token wasn't found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User doesn't have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Microsoft Entra ID and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. |
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
| 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address. |

4
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -71,7 +71,7 @@ Sign-in to computer running Microsoft Entra Connect with access equivalent to *l
The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
1. Select **Sign in to Graph Explorer** and provide Azure credentials
1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials
> [!NOTE]
> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
@ -487,7 +487,7 @@ Certificate enrollment for Microsoft Entra joined devices occurs over the Intern
Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Microsoft Entra Application Proxies.
Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/entra/identity/app-proxy/#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
Connector group automatically round-robin, load balance the Microsoft Entra application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Microsoft Entra application proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.

26
windows/security/identity-protection/hello-for-business/pin-reset.md
View File

@ -49,7 +49,7 @@ To register the applications, follow these steps:
:::row:::
:::column span="3":::
1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in as at least an [Application Administrator][ENT-2]. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pin-reset/pin-reset-service-prompt.png" lightbox="images/pin-reset/pin-reset-service-prompt.png" border="true":::
@ -57,7 +57,7 @@ To register the applications, follow these steps:
:::row-end:::
:::row:::
:::column span="3":::
2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign as at least an [Application Administrator][ENT-2]. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pin-reset/pin-reset-client-prompt.png" lightbox="images/pin-reset/pin-reset-client-prompt.png" border="true":::
@ -76,7 +76,7 @@ To register the applications, follow these steps:
### Confirm that the two PIN Reset service principals are registered in your tenant
1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com)
1. Sign in to the [Microsoft Entra Manager admin center][ENTRA]
1. Select **Microsoft Entra ID > Applications > Enterprise applications**
1. Search by application name "Microsoft PIN" and verify that both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** are in the list
:::image type="content" alt-text="PIN reset service permissions page." source="images/pin-reset/pin-reset-applications.png" lightbox="images/pin-reset/pin-reset-applications-expanded.png":::
@ -103,7 +103,7 @@ The following instructions provide details how to configure your devices. Select
>[!NOTE]
> You can also configure PIN recovery from the **Endpoint security** blade:
>
> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
> 1. Sign in to the [Microsoft Intune admin center][INTUNE]
> 1. Select **Endpoint security > Account protection > Create Policy**
Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1].
@ -113,7 +113,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | True |
>[!NOTE]
> You must replace `TenantId` with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
> You must replace `TenantId` with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID][ENT-3] or try the following, ensuring to sign-in with your organization's account::
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id
@ -133,7 +133,7 @@ GET https://graph.microsoft.com/v1.0/organization?$select=id
#### Confirm that PIN Recovery policy is enforced on the devices
The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled.
The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**][ENT-4] from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled.
**Sample User state Output for Destructive PIN Reset**
@ -233,12 +233,18 @@ For Microsoft Entra hybrid joined devices:
> [!NOTE]
> Key trust on Microsoft Entra hybrid joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Microsoft Entra self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Microsoft Entra self-service password reset at the Windows sign-in screen][ENT-1].
<!--links-->
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
[INT-1]: /mem/intune/configuration/settings-catalog
[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent
[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
[ENT-1]: /entra/identity/authentication/howto-sspr-windows#general-limitations
[ENT-2]: /entra/identity/role-based-access-control/permissions-reference#application-administrator
[ENT-3]: /entra/fundamentals/how-to-find-tenant
[ENT-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[ENTRA]: https://entra.microsoft.com
[INT-1]: /mem/intune/configuration/settings-catalog
[INTUNE]: https://go.microsoft.com/fwlink/?linkid=2109431

25
windows/security/identity-protection/hello-for-business/webauthn-apis.md
View File

@ -14,7 +14,7 @@ Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
## What does this mean?
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys][ENT-1] to implement passwordless multi-factor authentication for their applications on Windows devices.
Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.
@ -69,7 +69,7 @@ FIDO2 authenticators have already been implemented and WebAuthn relying parties
- Keys for multiple accounts (keys can be stored per relying party)
- Client PIN
- Location (the authenticator returns a location)
- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios)
- [Hash-based Message Authentication Code (HMAC)-secret][NET-1] (enables offline scenarios)
The following options might be useful in the future, but haven't been observed in the wild yet:
@ -100,15 +100,26 @@ Here's an approximate layout of where the Microsoft bits go:
- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
> [!NOTE]
> For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication).
> For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation][EDGE-1].
- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs.
- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products][EXT-1]. The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
## Developer references
The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
The WebAuthn APIs are documented in the [Microsoft/webauthn][EXT-2] GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec.
- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This document is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.
- [Web Authentication: An API for accessing Public Key Credentials][EXT-3] (available on the W3C site). This document is known as the WebAuthn spec.
- [Client to Authenticator Protocol (CTAP)][EXT-4]. This document is available at the [FIDO Alliance][EXT-5] site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.
<!--links-->
[ENT-1]: /entra/identity/authentication/how-to-enable-passkey-fido2
[NET-1]: /dotnet/api/system.security.cryptography.hmac
[EDGE-1]: /microsoft-edge/dev-guide/windows-integration/web-authentication
[EXT-1]: https://fidoalliance.org/certification/fido-certified-products/
[EXT-2]: https://github.com/Microsoft/webauthn
[EXT-3]: https://www.w3.org/TR/webauthn/
[EXT-4]: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html
[EXT-5]: http://fidoalliance.org

30
windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
View File

@ -610,7 +610,37 @@ Once decryption is complete, the drive updates its status in the Control Panel a
---
## Unlock a drive
If you connect a drive as a secondary drive to a device, and you have your BitLocker recovery key, you can unlock a BitLocker-enabled drive by using the following instructions.
In the next example, the `D` drive is the one to unlock. Select the option that best suits your needs.
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Unlock-BitLocker -MountPoint D -RecoveryPassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
```
For more information, see [Unlock-BitLocker][PS-2]
#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
```cmd
manage-bde.exe -unlock D: -recoverypassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
```
For more information, see [manage-bde unlock][WINS-1]
#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
You can unlock the drive from the Control Panel or from Explorer. After opening the BitLocker Control Panel applet, select the **Unlock drive** option to begin the process. When prompted, enter the 48-digit recovery key.
---
<!--links-->
[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)
[PS-1]: /powershell/module/bitlocker
[PS-2]: /powershell/module/bitlocker/unlock-bitlocker
[WINS-1]: /windows-server/administration/windows-commands/manage-bde-unlock

12
windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
View File

@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
ms.date: 06/18/2024
ms.date: 07/08/2024
---
# BitLocker recovery process
@ -26,6 +26,13 @@ A recovery key can't be stored in any of the following locations:
- The root directory of a nonremovable drive
- An encrypted volume
### Self-recovery with recovery password
If you have access to the recovery key, enter the 48-digits in the preboot recovery screen.
- If you are having issues entering the recovery password in the preboot recovery screen, or you can no longer boot your device, you can connect the drive to another device as a secondary drive. For more information about the unlock process, see [Unlock a drive](operations-guide.md#unlock-a-drive)
- If unlocking with recovery password doesn't work you can use the [BitLocker Repair tool](#bitlocker-repair-tool) to regain access yo your drive
### Self-recovery in Microsoft Entra ID
If BitLocker recovery keys are stored in Microsoft Entra ID, users can access them using the following URL: https://myaccount.microsoft.com. From the **Devices** tab, users can select a Windows device that they own, and select the option **View BitLocker Keys**.
@ -64,6 +71,9 @@ The following list can be used as a template for creating a recovery process for
There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
> [!NOTE]
> When devices including [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Administrative unit scoped administrators will lose access to BitLocker recovery keys after device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1].
In the following example, we use Microsoft Graph PowerShell cmdlet [`Get-MgInformationProtectionBitlockerRecoveryKey`][PS-1] to build a PowerShell function that retrieves recovery passwords from Microsoft Entra ID:

17
windows/whats-new/TOC.yml
View File

@ -18,14 +18,25 @@
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
- name: Windows 10
expanded: true
expanded: false
items:
- name: Extended Security Updates (ESU) program for Windows 10
href: extended-security-updates.md
- name: What's new in Windows 10, version 22H2
href: whats-new-windows-10-version-22H2.md
- name: What's new in Windows 10, version 21H2
href: whats-new-windows-10-version-21H2.md
- name: Windows 10 Enterprise LTSC
expanded: false
items:
- name: Windows 10 Enterprise LTSC overview
href: ltsc/overview.md
- name: What's new in Windows 10 Enterprise LTSC 2021
href: ltsc/whats-new-windows-10-2021.md
- name: What's new in Windows 10 Enterprise LTSC 2019
href: ltsc/whats-new-windows-10-2019.md
- name: What's new in Windows 10 Enterprise LTSC 2016
href: ltsc/whats-new-windows-10-2016.md
- name: What's new in Windows 10 Enterprise LTSC 2015
href: ltsc/whats-new-windows-10-2015.md
- name: Windows commercial licensing overview
href: windows-licensing.md
- name: Deprecated and removed Windows features

1
windows/whats-new/docfx.json
View File

@ -49,7 +49,6 @@
"folder_relative_path_in_docset": "./"
}
},
"titleSuffix": "What's new in Windows",
"contributors_to_exclude": [
"dstrome2",
"rjagiewich",

41
windows/whats-new/index.yml
View File

@ -15,11 +15,13 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 10/31/2023
ms.date: 07/01/2024
localization_priority: medium
landingContent:
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
- title: Windows 11 planning
linkLists:
- linkListType: overview
@ -52,9 +54,32 @@ landingContent:
url: extended-security-updates.md
- text: What's new in Windows 10, version 22H2
url: whats-new-windows-10-version-22h2.md
- text: What's new in Windows 10, version 21H2
url: whats-new-windows-10-version-21h2.md
- title: Windows 10 Enterprise LTSC
linkLists:
- linkListType: whats-new
links:
- text: Windows 10 Enterprise LTSC overview
url: ltsc/overview.md
- text: What's new in Windows 10 Enterprise LTSC 2021
url: ltsc/whats-new-windows-10-2021.md
- text: What's new in Windows 10 Enterprise LTSC 2019
url: ltsc/whats-new-windows-10-2019.md
- text: What's new in Windows 10 Enterprise LTSC 2016
url: ltsc/whats-new-windows-10-2016.md
- text: What's new in Windows 10 Enterprise LTSC 2015
url: ltsc/whats-new-windows-10-2015.md
- title: Deprecated features
linkLists:
- linkListType: reference
links:
- text: Windows features we're no longer developing
url: deprecated-features.md
- text: Features and functionality removed in Windows
url: removed-features.md
- text: Lifecycle terminology
url: feature-lifecycle.md#terminology
- title: Learn more
linkLists:
@ -64,15 +89,5 @@ landingContent:
url: /windows/release-health/windows11-release-information
- text: Windows release health dashboard
url: /windows/release-health/
- text: Windows 11 update history
url: https://support.microsoft.com/topic/windows-11-version-22h2-update-history-ec4229c3-9c5f-4e75-9d6d-9025ab70fcce
- text: Windows 10 update history
url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
- text: Windows features we're no longer developing
url: deprecated-features.md
- text: Features and functionality removed in Windows
url: removed-features.md
- text: Compare Windows 11 Editions
url: https://www.microsoft.com/windows/business/compare-windows-11
- text: Windows 10 Enterprise LTSC
url: ltsc/overview.md

13
windows/whats-new/ltsc/TOC.yml
View File

@ -1,13 +0,0 @@
- name: Windows 10 Enterprise LTSC
href: index.yml
items:
- name: Windows 10 Enterprise LTSC overview
href: overview.md
- name: What's new in Windows 10 Enterprise LTSC 2021
href: whats-new-windows-10-2021.md
- name: What's new in Windows 10 Enterprise LTSC 2019
href: whats-new-windows-10-2019.md
- name: What's new in Windows 10 Enterprise LTSC 2016
href: whats-new-windows-10-2016.md
- name: What's new in Windows 10 Enterprise LTSC 2015
href: whats-new-windows-10-2015.md

49
windows/whats-new/ltsc/index.yml
View File

@ -1,49 +0,0 @@
### YamlMime:Landing
title: What's new in Windows 10 Enterprise LTSC
summary: Find out about new features and capabilities in the latest release of Windows 10 Enterprise LTSC for IT professionals.
metadata:
title: What's new in Windows 10 Enterprise LTSC
description: Find out about new features and capabilities in the latest release of Windows 10 Enterprise LTSC for IT professionals.
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.topic: landing-page
ms.collection:
- highpri
- tier1
author: mestew
ms.author: mstewart
manager: aaroncz
ms.date: 12/18/2023
localization_priority: medium
landingContent:
- title: Windows 10 Enterprise LTSC
linkLists:
- linkListType: overview
links:
- text: Windows 10 Enterprise LTSC overview
url: overview.md
- text: What's new in Windows 10 Enterprise LTSC 2021
url: whats-new-windows-10-2021.md
- text: What's new in Windows 10 Enterprise LTSC 2019
url: whats-new-windows-10-2019.md
- text: What's new in Windows 10 Enterprise LTSC 2016
url: whats-new-windows-10-2016.md
- text: What's new in Windows 10 Enterprise LTSC 2015
url: whats-new-windows-10-2015.md
- title: Learn more
linkLists:
- linkListType: overview
links:
- text: Windows release health dashboard
url: /windows/release-health/
- text: Windows 10 update history
url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
- text: Windows features we're no longer developing
url: ../deprecated-features.md
- text: Features and functionality removed in Windows
url: ../removed-features.md

77
windows/whats-new/whats-new-windows-10-version-21H2.md
View File

@ -1,77 +0,0 @@
---
title: What's new in Windows 10, version 21H2 for IT pros
description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
manager: aaroncz
ms.service: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
ms.topic: conceptual
ms.collection:
- highpri
- tier2
ms.subservice: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H2</a>
---
# What's new in Windows 10, version 21H2
Windows 10, version 21H2 is the next feature update. This article lists the new and updated features IT Pros should know. Windows 10, version 21H2 is also known as the Windows 10 November 2021 Update. It includes all features and fixes in previous cumulative updates to Windows 10, version 21H1.
Windows 10, version 21H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule:
- **Windows 10 Professional**: Serviced for 18 months from the release date.
- **Windows 10 Enterprise**: Serviced for 30 months from the release date.
Windows 10, version 21H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/2021/11/16/how-to-get-the-windows-10-november-2021-update/) and [IT tools to support Windows 10, version 21H2 blog](https://aka.ms/tools-for-21h2).
Devices running Windows 10, versions 2004, 20H2, and 21H1 can update quickly to version 21H2 using an enablement package. For more information, see [Feature Update through Windows 10, version 21H2 Enablement Package](https://support.microsoft.com/help/5003791).
To learn more about the status of the November 2021 Update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
## Updates and servicing
Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the General Availability Channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
Quality updates are still installed monthly on the second Tuesday of the month.
For more information, see:
- [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions)
- [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels)
## GPU compute support for the Windows Subsystem for Linux
Starting with Windows 10 version 21H2, the Windows Subsystem for Linux has full graphics processing unit (GPU) compute support. It was available to Windows Insiders, and is now available to everyone. The Linux binaries can use your Windows GPU, and run different workloads, including artificial intelligence (AI) and machine learning (ML) development workflows.
For more information, and what GPU compute support means for you, see the [GPU accelerated ML training inside the Windows Subsystem for Linux blog post](https://blogs.windows.com/windowsdeveloper/2020/06/17/gpu-accelerated-ml-training-inside-the-windows-subsystem-for-linux/).
## Get the latest CSPs
The [KB5005101 September 1, 2021 update](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1) includes about 1400 CSPs that were made available to MDM providers.
These CSPs are built in to Windows 10, version 21H2. These settings are available in Microsoft Intune in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis.
For more information on the CSPs, see the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
## Apps appear local with Azure Virtual Desktop
Azure virtual desktop is a Windows client OS hosted in the cloud, and runs virtual apps. You use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
You can create Azure virtual desktops that run Windows 10 version 21H2.
For more information, see:
- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
- [What's new in Azure Virtual Desktop?](/azure/virtual-desktop/whats-new)
- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
## Wi-Fi WPA3-Personal H2E support
Wi-Fi WPA3-Personal H2E (Hash-to-Element) support is built in to Windows 10, version 21H2.
## Related articles
- [Release notes for Microsoft Edge Stable Channel](/deployedge/microsoft-edge-relnote-stable-channel)