diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 40fdda11b1..d8661c166c 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -57,6 +57,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates). > [!NOTE] + > You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune) @@ -104,6 +105,14 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy. +**If you use a proxy server or other method to block URLs** + +If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: +- `http(s)://*.update.microsoft.com` +- `http://download.windowsupdate.com` +- `http://windowsupdate.microsoft.com` + +Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state. ## Maintenance window diff --git a/devices/surface/images/sda-fig5-erase.png b/devices/surface/images/sda-fig5-erase.png index cf8abe7dce..8ac3e174a7 100644 Binary files a/devices/surface/images/sda-fig5-erase.png and b/devices/surface/images/sda-fig5-erase.png differ diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index ad68711a00..4a39f0775e 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -16,7 +16,7 @@ author: miladCA Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. -[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB tool is easy to create by using the provided wizard, the Microsoft Surface Data Eraser Wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy). +[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy). Compatible Surface devices include: @@ -100,43 +100,41 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo 1. Insert the bootable Microsoft Surface Data Eraser USB stick into the supported Surface device. -2. Ensure your system firmware is set to boot to USB. To enter the firmware settings: +2. Boot your Surface device from the Microsoft Surface Data Eraser USB stick. To boot your device from the USB stick follow these steps: - 1. Turn off your Surface device. + a. Turn off your Surface device. - 2. Press and hold the **Volume Up** button. + b. Press and hold the **Volume Down** button. - 3. Press and release the **Power** button. + c. Press and release the **Power** button. - 4. Release the **Volume Up** button. + d. Release the **Volume Down** button. + + >[!NOTE] + >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). -3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed. +3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4. ![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick") *Figure 4. Booting the Microsoft Surface Data Eraser USB stick* -4. Read the software license terms, and then close the notepad file. +4. Read the software license terms, and then close the Notepad file. -5. Accept or Decline the Software License Terms by typing **Accept** or **Decline**. +5. Accept or decline the software license terms by typing **Accept** or **Decline**. You must accept the license terms to continue. -6. Select one of the following three options: +6. The Microsoft Surface Data Eraser script detects the storage devices that are present in your Surface device and displays the details of the native storage device. To continue, press **Y** (this action runs Microsoft Surface Data Eraser and removes all data from the storage device) or press **N** (this action shuts down the device without removing data). - - **Enter S to start Data Erase** – Select this option to begin the data erase process. You will have a chance to confirm in the next step. + >[!NOTE] + >The Microsoft Surface Data Eraser tool will delete all data, including Windows operating system files required to boot the device, in a secure and unrecoverable way. To boot a Surface device that has been wiped with Microsoft Surface Data Eraser, you will first need to reinstall the Windows operating system. To remove data from a Surface device without removing the Windows operating system, you can use the **Reset your PC** function. However, this does not prevent your data from being recovered with forensic or data recovery capabilities. See [Recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options) for more information. - - **Enter D to perform Diskpart** – Select this option to use diskpart.exe to manage partitions on your disk. + ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed") + + *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser* - - **Enter X to shut device down** – Select this option to perform no action and shut down the device. +7. If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice. -7. If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device. - - ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed") - - *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser* - -8. If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice. - -9. Click the **Yes** button to continue erasing data on the Surface device. +8. Click the **Yes** button to continue erasing data on the Surface device.   diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index f44e7cf414..5e81cad6ce 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -413,3 +413,12 @@ When you deploy SEMM using this script application and with a configuration that Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user – in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article. Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM. + +>[!NOTE] +>Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset package that would work for any device enrolled in SEMM with this certificate. + +>We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that – just like the certificate itself – this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM. + +>When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken. + +>For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken. \ No newline at end of file diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 38cf7a85aa..7f215f9a1a 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -338,6 +338,12 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll + +

Microsoft SQL Server 2014

+

Standard, Enterprise, or Datacenter

+

SP2

+

64-bit

+

Microsoft SQL Server 2014

Standard, Enterprise, or Datacenter

diff --git a/windows/deploy/provisioning-apply-package.md b/windows/deploy/provisioning-apply-package.md index 417c9e9e75..1125dd6985 100644 --- a/windows/deploy/provisioning-apply-package.md +++ b/windows/deploy/provisioning-apply-package.md @@ -94,7 +94,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Access work o ![Is this package from a source you trust](images/package-trust.png) -# + ## Learn more diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index 1455ee624e..cd76825250 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -127,7 +127,7 @@ The Upgrade Analytics deployment script does the following: 3. Checks whether the computer has a pending restart.   -4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended). +4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14913 or later is required). 5. If enabled, turns on verbose mode for troubleshooting. diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md index 9f6a18384a..9dca476f1c 100644 --- a/windows/deploy/usmt-overview.md +++ b/windows/deploy/usmt-overview.md @@ -35,7 +35,7 @@ USMT provides the following benefits to businesses that are deploying Windows op - Increases employee satisfaction with the migration experience. ## Limitations -USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [Windows Easy Transfer](https://go.microsoft.com/fwlink/p/?LinkId=140248). +USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](http://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. There are some scenarios in which the use of USMT is not recommended. These include: diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index d687114889..3a3d3bcda1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -1,14 +1,15 @@ # [Keep Windows 10 secure](index.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) -### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) -### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) -### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) -### [Windows Hello and password changes](microsoft-passport-and-password-changes.md) -### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) -### [Event ID 300 - Windows Hello successfully created](passport-event-300.md) -### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +## [Windows Hello for Business](hello-identity-verification.md) +### [How Windows Hello for Business works](hello-how-it-works.md) +### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +### [Windows Hello and password changes](hello-and-password-changes.md) +### [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +### [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +### [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) ## [Device Guard deployment guide](device-guard-deployment-guide.md) @@ -873,7 +874,6 @@ ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) -### [Microsoft Passport guide](microsoft-passport-guide.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ### [Windows 10 security overview](windows-10-security-guide.md) ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md index bf932d459d..1f83aad42f 100644 --- a/windows/keep-secure/app-behavior-with-wip.md +++ b/windows/keep-secure/app-behavior-with-wip.md @@ -38,8 +38,8 @@ This table includes info about how unenlightened apps might behave, based on you   - Name-based policies, without the /*AppCompat*/ string - Name-based policies, using the /*AppCompat*/ string or proxy-based policies + Name-based policies, without the /*AppCompat*/ string + Name-based policies, using the /*AppCompat*/ string or proxy-based policies Not required. App connects to enterprise cloud resources directly, using an IP address. @@ -96,7 +96,7 @@ This table includes info about how enlightened apps might behave, based on your - + diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 2ffb869b8f..e3d23d3102 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -42,7 +42,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen ## New and changed functionality -To find out what's new in BitLocker for Windows 10, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511." +To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."   ## System requirements diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index e5a7805ddf..2e7879cd8b 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -12,6 +12,7 @@ author: brianlic-msft # Change history for Keep Windows 10 secure This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). + ## January 2017 |New or changed topic |Description | |---------------------|------------| @@ -19,6 +20,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. | |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New | |[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New | +| Microsoft Passport guide | Content merged into [Windows Hello for Business](hello-identity-verification.md) topics | ## December 2016 |New or changed topic |Description | @@ -26,6 +28,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |Added filter examples for Windows 10 and Windows Server 2016. | + ## November 2016 | New or changed topic | Description | | --- | --- | @@ -33,6 +36,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) |Changed WIPModeID to EDPModeID, to match the CSP. | + ## October 2016 | New or changed topic | Description | @@ -44,6 +48,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic | |[Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline | + ## September 2016 | New or changed topic | Description | diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index a8b0e386d3..16b63a490e 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -44,10 +44,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password ## Use the TPM cmdlets -If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** - -For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). ## Related topics diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 38a3f1edc2..dd145bf769 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. +The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service. diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index c038a4d588..9d3a33d12c 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -9,40 +9,78 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft --- + # Protect derived domain credentials with Credential Guard **Applies to** - Windows 10 - Windows Server 2016 -Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. +Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. -Credential Guard offers the following features and solutions: +By enabling Credential Guard, the following features and solutions are provided: -- **Hardware security** Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization. -- **Virtualization-based security** Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. -- **Manageability** You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell. +- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. +- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. ## How it works -Credential Guard isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. +Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. -Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases. +When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. -Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used. +When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. Here's a high-level overview on how the LSA is isolated by using virtualization-based security: ![Credential Guard overview](images/credguard.png) -## Hardware and software requirements +## Requirements + +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). + +### Hardware and software requirements To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. -You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. +To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: +- Support for Virtualization-based security (required) +- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) +- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) + +The Virtualization-based security requires: +- 64 bit CPU +- CPU virtualization extensions plus extended page tables +- Windows hypervisor + +### Application requirements + +When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. + +>[!WARNING] +> Enabling Credential Guard on domain controllers is not supported.
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. + +>[!NOTE] +> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). + +Applications will break if they require: +- Kerberos DES encryption support +- Kerberos unconstrained delegation +- Extracting the Kerberos TGT +- NTLMv1 + +Applications will prompt & expose credentials to risk if they require: +- Digest authentication +- Credential delegation +- MS-CHAPv2 + +Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. + +### Security considerations The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. @@ -51,10 +89,9 @@ The following tables provide more information about the hardware, firmware, and > If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required. +#### Baseline protection recommendations -## Credential Guard requirements for baseline protections - -|Baseline Protections - requirement | Description | +|Baseline Protections | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).

**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | @@ -64,15 +101,11 @@ The following tables provide more information about the hardware, firmware, and | Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] -> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. +> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide. -## Credential Guard requirements for improved security +#### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) -The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. - -### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) - -| Protections for Improved Security - requirement | Description | +| Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | @@ -80,12 +113,12 @@ The following tables describes additional hardware and firmware requirements, an
-### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016) +#### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016) > [!IMPORTANT] > The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. -| Protections for Improved Security - requirement | Description | +| Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | @@ -93,9 +126,9 @@ The following tables describes additional hardware and firmware requirements, an
-### 2017 Additional Qualification Requirements for Credential Guard (starting with the next major release of Windows 10) +#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) -| Protection for Improved Security - requirement | Description | +| Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | diff --git a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md index ba8e5d4999..898731c8d2 100644 --- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md +++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md @@ -124,8 +124,6 @@ To sign the existing catalog file, copy each of the following commands into an e After the catalog file is signed, add the signing certificate to a code integrity policy, as described in the following steps. - - 1. If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. 2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a code integrity policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: @@ -134,7 +132,7 @@ After the catalog file is signed, add the signing certificate to a code integrit > **Note**  Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity. -3. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for ** and **: +3. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for `` and ``: ` Add-SignerRule -FilePath -CertificatePath -User ` diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md index e3c6cbddf6..b3077d445a 100644 --- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md +++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md @@ -6,7 +6,7 @@ ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-enable-phone-signin --- # Enable phone sign-in to PC or VPN @@ -17,74 +17,3 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app. - -![Sign in to a device](images/phone-signin-menu.png) - -> [!NOTE] -> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. - - ## Prerequisites - - - Both phone and PC must be running Windows 10, version 1607. - - The PC must be running Windows 10 Pro, Enterprise, or Education - - Both phone and PC must have Bluetooth. - - The **Microsoft Authenticator** app must be installed on the phone. - - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. - - The phone must be joined to Azure AD or have a work account added. - - The VPN configuration profile must use certificate-based authentication. - -## Set policies - -To enable phone sign-in, you must enable the following policies using Group Policy or MDM. - -- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** - - Enable **Use Windows Hello for Business** - - Enable **Phone Sign-in** -- MDM: - - Set **UsePassportForWork** to **True** - - Set **Remote\UseRemotePassport** to **True** - -## Configure VPN - -To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows: - -- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate. -- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate. - -## Get the app - -If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md). - -[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote) - - -## Related topics - -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) - - -  - -  - - - - - diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md new file mode 100644 index 0000000000..b9937eeaa8 --- /dev/null +++ b/windows/keep-secure/hello-and-password-changes.md @@ -0,0 +1,49 @@ +--- +title: Windows Hello and password changes (Windows 10) +description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. +ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- +# Windows Hello and password changes + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. + +## Example + +Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account. +Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part. + +Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated. + +>[!NOTE] +>This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md). +  +## How to update Hello after you change your password on another device + +1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.** +2. Click **OK.** +3. Click **Sign-in options**. +4. Click the **Password** button. +5. Sign in with new password. +6. The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN. + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md new file mode 100644 index 0000000000..162ff7d762 --- /dev/null +++ b/windows/keep-secure/hello-biometrics-in-enterprise.md @@ -0,0 +1,97 @@ +--- +title: Windows Hello biometrics in the enterprise (Windows 10) +description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. +ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc +keywords: Windows Hello, enterprise biometrics +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- + +# Windows Hello biometrics in the enterprise +**Applies to:** + +- Windows 10 + +Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. + +>[!NOTE] +>When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. + +##How does Windows Hello work? +Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. + +The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. + +## Why should I let my employees use Windows Hello? +Windows Hello provides many benefits, including: + +- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge. + +- Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords! + +- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic. + +## Where is Microsoft Hello data stored? +The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor. + +## Has Microsoft set any device requirements for Windows Hello? +We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: + +- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm. + +- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. + +### Fingerprint sensor requirements +To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional). + +**Acceptable performance range for small to large size touch sensors** + +- False Accept Rate (FAR): <0.001 – 0.002% + +- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% + +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% + +**Acceptable performance range for swipe sensors** + +- False Accept Rate (FAR): <0.002% + +- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% + +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% + +### Facial recognition sensors +To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). + +- False Accept Rate (FAR): <0.001 + +- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% + +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% + +## Related topics +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219) + +  + +  + + + + + diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md new file mode 100644 index 0000000000..c77dfeeaf1 --- /dev/null +++ b/windows/keep-secure/hello-enable-phone-signin.md @@ -0,0 +1,84 @@ +--- +title: Enable phone sign-in to PC or VPN (Windows 10) +description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone. +keywords: ["identity", "PIN", "biometric", "Hello"] +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Enable phone sign-in to PC or VPN + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app. + +![Sign in to a device](images/phone-signin-menu.png) + +> [!NOTE] +> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. + +You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. + + ## Prerequisites + + - Both phone and PC must be running Windows 10, version 1607. + - The PC must be running Windows 10 Pro, Enterprise, or Education + - Both phone and PC must have Bluetooth. + - The **Microsoft Authenticator** app must be installed on the phone. + - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. + - The phone must be joined to Azure AD or have a work account added. + - The VPN configuration profile must use certificate-based authentication. + +## Set policies + +To enable phone sign-in, you must enable the following policies using Group Policy or MDM. + +- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** + - Enable **Use Windows Hello for Business** + - Enable **Phone Sign-in** +- MDM: + - Set **UsePassportForWork** to **True** + - Set **Remote\UseRemotePassport** to **True** + +## Configure VPN + +To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows: + +- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate. +- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate. + +## Get the app + +If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md). + +[Tell people how to sign in using their phone.](hello-prepare-people-to-use.md#bmk-remote) + + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) + + +  + +  + + + + + diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md new file mode 100644 index 0000000000..a362e1f253 --- /dev/null +++ b/windows/keep-secure/hello-errors-during-pin-creation.md @@ -0,0 +1,233 @@ +--- +title: Windows Hello errors during PIN creation (Windows 10) +description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. +ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 +keywords: PIN, error, create a work PIN +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- + +# Windows Hello errors during PIN creation + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. + +## Where is the error code? + +The following image shows an example of an error during **Create a PIN**. + +![](images/pinerror.png) + +## Error mitigations + +When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps. +1. Try to create the PIN again. Some errors are transient and resolve themselves. +2. Sign out, sign in, and try to create the PIN again. +3. Reboot the device and then try to create the PIN again. +4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** > **System** > **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](https://go.microsoft.com/fwlink/p/?LinkId=715697). +5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697). +If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. + +
App rule settingNetworking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policiesNetworking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies
Not required. App connects to enterprise cloud resources, using an IP address or a hostname.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
HexCauseMitigation
0x801C044DAuthorization token does not contain device IDUnjoin the device from Azure AD and rejoin
0x80090036User cancelled an interactive dialogUser will be asked to try again
0x80090011The container or key was not foundUnjoin the device from Azure AD and rejoin
0x8009000FThe container or key already existsUnjoin the device from Azure AD and rejoin
0x8009002ANTE_NO_MEMORYClose programs which are taking up memory and try again.
0x80090005NTE_BAD_DATAUnjoin the device from Azure AD and rejoin
0x80090029TPM is not set up.Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**.
0x80090031NTE_AUTHENTICATION_IGNOREDReboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650)
0x80090035Policy requires TPM and the device does not have TPM.Change the Passport policy to not require a TPM.
0x801C0003User is not authorized to enrollCheck if the user has permission to perform the operation​.
0x801C000ERegistration quota reached

Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933).

0x801C000FOperation successful but the device requires a rebootReboot the device.
0x801C0010The AIK certificate is not valid or trustedSign out and then sign in again.
0x801C0011The attestation statement of the transport key is invalidSign out and then sign in again.
0x801C0012Discovery request is not in a valid formatSign out and then sign in again.
0x801C0015The device is required to be joined to an Active Directory domain​Join the device to an Active Directory domain.
0x801C0016The federation provider configuration is emptyGo to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.
0x801C0017​The federation provider domain is emptyGo to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.
0x801C0018The federation provider client configuration URL is emptyGo to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.
0x801C03E9Server response message is invalidSign out and then sign in again.
0x801C03EAServer failed to authorize user or device.Check if the token is valid and user has permission to register Passport keys.
0x801C03EBServer response http status is not validSign out and then sign in again.
0x801C03ECUnhandled exception from server.sign out and then sign in again.
0x801C03ED

Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed

+

-or-

+

Token was not found in the Authorization header

+

-or-

+

Failed to read one or more objects

+

-or-

The request sent to the server was invalid.

Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
0x801C03EEAttestation failedSign out and then sign in again.
0x801C03EFThe AIK certificate is no longer validSign out and then sign in again.
​0x801C044DUnable to obtain user tokenSign out and then sign in again. Check network and credentials.
0x801C044EFailed to receive user creds inputSign out and then sign in again.
+  +## Errors with unknown mitigation +For errors listed in this table, contact Microsoft Support for assistance. + +| Hex | Cause | +|-------------|---------| +| 0x80072f0c | Unknown | +| 0x80070057 | Invalid parameter or argument is passed | +| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. | +| 0x8009002D | NTE\_INTERNAL\_ERROR | +| 0x80090020 | NTE\_FAIL | +| 0x801C0001 | ​ADRS server response is not in valid format | +| 0x801C0002 | Server failed to authenticate the user | +| 0x801C0006 | Unhandled exception from server | +| 0x801C000C | Discovery failed | +| 0x801C001B | ​The device certificate is not found | +| 0x801C000B | Redirection is needed and redirected location is not a well known server | +| 0x801C0019 | ​The federation provider client configuration is empty | +| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty | +| 0x801C0013 | Tenant ID is not found in the token | +| 0x801C0014 | User SID is not found in the token | +| 0x801C03F1 | There is no UPN in the token | +| 0x801C03F0 | ​There is no key registered for the user | +| 0x801C03F1 | ​There is no UPN in the token | +| ​0x801C044C | There is no core window for the current thread | +  + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md new file mode 100644 index 0000000000..ea19c3f794 --- /dev/null +++ b/windows/keep-secure/hello-event-300.md @@ -0,0 +1,45 @@ +--- +title: Event ID 300 - Windows Hello successfully created (Windows 10) +description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). +ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 +keywords: ngc +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- + +# Event ID 300 - Windows Hello successfully created + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. + +## Event details + +| **Product:** | Windows 10 operating system | +| --- | --- | +| **ID:** | 300 | +| **Source:** | Microsoft Azure Device Registration Service | +| **Version:** | 10 | +| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.
Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} | +  +## Resolve + +This is a normal condition. No further action is required. + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md new file mode 100644 index 0000000000..089387f204 --- /dev/null +++ b/windows/keep-secure/hello-how-it-works.md @@ -0,0 +1,121 @@ +--- +title: How Windows Hello for Business works (Windows 10) +description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- +# How Windows Hello for Business works + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +TWindows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. + +## Register a new user or device + +A goal of device registration is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Windows Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration. + +> [!NOTE] +>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register. + + The registration process works like this: + +1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. +2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. +3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately + +The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are: + +- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN. +- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to. +- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to. + +When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. + +At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures. + +## What’s a container? + +You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. + +The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. + +It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders. + +The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. + +![Each logical container holds one or more sets of keys](images/passport-fig3-logicalcontainer.png) + +Containers can contain several types of key material: + +- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. +- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked. +- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: + - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. + - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI. + +## How keys are protected + +Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. + +Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. + + +## Authentication + +When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. + +These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device. + +For example, the authentication process for Azure Active Directory works like this: + +1. The client sends an empty authentication request to the IDP. (This is merely for the handshake process.) +2. The IDP returns a challenge, known as a nonce. +3. The device signs the nonce with the appropriate private key. +4. The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce. +5. The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original. +6. If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key. +7. The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token. +8. The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication. + +When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices. + + +## The infrastructure + +Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities: + +- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. +- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. +- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. + + + + + + + + + + + + + + + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md new file mode 100644 index 0000000000..a1e391508f --- /dev/null +++ b/windows/keep-secure/hello-identity-verification.md @@ -0,0 +1,131 @@ +--- +title: Windows Hello for Business (Windows 10) +description: IWindows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. +ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: jdeckerMS +localizationpriority: high +--- +# Windows Hello for Business + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. + +>[!NOTE] +> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Windows Hello addresses the following problems with passwords: +- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. +- Server breaches can expose symmetric network credentials (passwords). +- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). +- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674). + +Windows Hello lets users authenticate to: +- a Microsoft account. +- an Active Directory account. +- a Microsoft Azure Active Directory (Azure AD) account. +- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication (in progress) + +After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users. + +As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization. + +## Biometric sign-in + + Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials. + +- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. +- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. + +Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. + + +## The difference between Windows Hello and Windows Hello for Business + +- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication. + +- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication. + +- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication. Support for key-based or certificate-based authentication is on the roadmap for a future release. + +## Benefits of Windows Hello + +Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed. + +You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials. + +In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. + +>[!NOTE] +>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password. + +![How authentication works in Windows Hello](images/authflow.png) + +Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. + +Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs. + +For customers using a hybrid Active Directory and Azure Active Directorye environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. + +> [!NOTE] +>  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. + +  +## How Windows Hello for Business works: key points + +- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. +- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step. +- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. +- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device. +- Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. +- PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. +- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture. + +For details, see [How Windows Hello for Business works](hello-how-it-works.md). + +## Comparing key-based and certificate-based authentication + +Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust. + + + +## Learn more + +[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft) + +[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy + +[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533) + +[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024) + +[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995) + +[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890) + +[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891) + +[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778) + +[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928) + +## Related topics + +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +  diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md new file mode 100644 index 0000000000..f2a43b7df1 --- /dev/null +++ b/windows/keep-secure/hello-manage-in-organization.md @@ -0,0 +1,390 @@ +--- +title: Manage Windows Hello in your organization (Windows 10) +description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. +ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 +keywords: identity, PIN, biometric, Hello +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- + +# Manage Windows Hello for Business in your organization + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. + +>[!IMPORTANT] +>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. +> +>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +> +>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business. +  +## Group Policy settings for Windows Hello for Business + +The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PolicyOptions
Use Windows Hello for Business +

Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

+

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

+

Disabled: Device does not provision Windows Hello for Business for any user.

+
Use a hardware security device +

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+

Enabled: Windows Hello for Business will only be provisioned using TPM.

+

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+
Use biometrics +

Not configured: Biometrics can be used as a gesture in place of a PIN.

+

Enabled: Biometrics can be used as a gesture in place of a PIN.

+

Disabled: Only a PIN can be used as a gesture.

+
PIN ComplexityRequire digits +

Not configured: Users must include a digit in their PIN.

+

Enabled: Users must include a digit in their PIN.

+

Disabled: Users cannot use digits in their PIN.

+
Require lowercase letters +

Not configured: Users cannot use lowercase letters in their PIN.

+

Enabled: Users must include at least one lowercase letter in their PIN.

+

Disabled: Users cannot use lowercase letters in their PIN.

+
Maximum PIN length +

Not configured: PIN length must be less than or equal to 127.

+

Enabled: PIN length must be less than or equal to the number you specify.

+

Disabled: PIN length must be less than or equal to 127.

+
Minimum PIN length +

Not configured: PIN length must be greater than or equal to 4.

+

Enabled: PIN length must be greater than or equal to the number you specify.

+

Disabled: PIN length must be greater than or equal to 4.

+
Expiration +

Not configured: PIN does not expire.

+

Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.

+

Disabled: PIN does not expire.

+
History +

Not configured: Previous PINs are not stored.

+

Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.

+

Disabled: Previous PINs are not stored.

+
Note  Current PIN is included in PIN history.
+
 
+
Require special characters +

Not configured: Users cannot include a special character in their PIN.

+

Enabled: Users must include at least one special character in their PIN.

+

Disabled: Users cannot include a special character in their PIN.

+
Require uppercase letters +

Not configured: Users cannot include an uppercase letter in their PIN.

+

Enabled: Users must include at least one uppercase letter in their PIN.

+

Disabled: Users cannot include an uppercase letter in their PIN.

+
Phone Sign-in +

Use Phone Sign-in

+
Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
 
+		 +

Not configured: Phone sign-in is disabled.

+

Enabled: Users can use a portable, registered device as a companion device for desktop authentication.

+

Disabled: Phone sign-in is disabled.

+
+ +## MDM policy settings for Windows Hello for Business + +The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070). + +>[!IMPORTANT] +>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PolicyScopeDefaultOptions
UsePassportForWorkDeviceTrue +

True: Windows Hello for Business will be provisioned for all users on the device.

+

False: Users will not be able to provision Windows Hello for Business.

+
Note  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
+
 
+
RequireSecurityDeviceDeviceFalse +

True: Windows Hello for Business will only be provisioned using TPM.

+

False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+
Biometrics +

UseBiometrics

+		Device False +

True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.

+

False: Only a PIN can be used as a gesture for domain sign-in.

+
+

FacialFeaturesUser

+

EnhancedAntiSpoofing

+		DeviceNot configured +

Not configured: users can choose whether to turn on enhanced anti-spoofing.

+

True: Enhanced anti-spoofing is required on devices which support it.

+

False: Users cannot turn on enhanced anti-spoofing.

+
PINComplexity
Digits Device or user2 +

1: Numbers are not allowed.

+

2: At least one number is required.

+
Lowercase letters Device or user1 +

1: Lowercase letters are not allowed.

+

2: At least one lowercase letter is required.

+
Maximum PIN length Device or user127 +

Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.

+
Minimum PIN lengthDevice or user4 +

Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.

+
Expiration Device or user0 +

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. +

+
HistoryDevice or user0 +

Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. +

+
Special charactersDevice or user1 +

1: Special characters are not allowed.

+

2: At least one special character is required.

+
Uppercase lettersDevice or user1 +

1: Uppercase letters are not allowed

+

2: At least one uppercase letter is required

+
Remote +

UseRemotePassport

+
Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
 
+		Device or userFalse +

True: Phone sign-in is enabled.

+

False: Phone sign-in is disabled.

+
+ +>[!NOTE]   +> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN. +  +## Prerequisites + +To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. + +You’ll need this software to set Windows Hello for Business policies in your enterprise. + ++++++ + + + + + + + + + + + + + + + + + + + + + + +
Windows Hello for Business modeAzure ADActive Directory (AD) on-premises (available with production release of Windows Server 2016)Azure AD/AD hybrid (available with production release of Windows Server 2016)
Key-based authenticationAzure AD subscription
    +
  • Active Directory Federation Service (AD FS) (Windows Server 2016)
    • +
  • A few Windows Server 2016 domain controllers on-site
    • +
  • Microsoft System Center 2012 R2 Configuration Manager SP2
    • +
    +
  • Azure AD subscription
    • +
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • +
  • A few Windows Server 2016 domain controllers on-site
    • +
  • A management solution, such as Configuration Manager, Group Policy, or MDM
    • +
  • Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)
    • +
Certificate-based authentication
    +
  • Azure AD subscription
    • +
  • Intune or non-Microsoft mobile device management (MDM) solution
    • +
  • PKI infrastructure
    • +
    +
  • ADFS (Windows Server 2016)
    • +
  • Active Directory Domain Services (AD DS) Windows Server 2016 schema
    • +
  • PKI infrastructure
    • +
  • Configuration Manager SP2, Intune, or non-Microsoft MDM solution
    • +
    +
  • Azure AD subscription
    • +
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • +
  • AD CS with NDES
    • +
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • +
+  +Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business. + +Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. + + + + +## How to use Windows Hello for Business with Azure Active Directory + +There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: + +- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. +- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. +- **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device. + +If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. + + + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md new file mode 100644 index 0000000000..e1c079e7ab --- /dev/null +++ b/windows/keep-secure/hello-prepare-people-to-use.md @@ -0,0 +1,109 @@ +--- +title: Prepare people to use Windows Hello (Windows 10) +description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. +ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B +keywords: identity, PIN, biometric, Hello +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- + +# Prepare people to use Windows Hello + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. + +After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. + +Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello. + +People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello. + +## On devices owned by the organization + +When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. + +![who owns this pc](images/corpown.png) + +Next, they select a way to connect. Tell the people in your enterprise which option they should pick here. + +![choose how you'll connect](images/connect.png) + +They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length. + +After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on. + +## On personal devices + +People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. + +People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device. + +## Using Windows Hello and biometrics + +If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. + +![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) + +## Use a phone to sign in to a PC or VPN + +If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials. + +> [!NOTE] +> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. + +  +**Prerequisites:** + +- Both phone and PC must be running Windows 10, version 1607. +- The PC must be running Windows 10 Pro, Enterprise, or Education +- Both phone and PC must have Bluetooth. +- The **Microsoft Authenticator** app must be installed on the phone. +- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. +- The phone must be joined to Azure AD or have a work account added. +- The VPN configuration profile must use certificate-based authentication. + +**Pair the PC and phone** + +1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing. + + ![bluetooth pairing](images/btpair.png) + +2. On the phone, go to **Settings** > **Devices** > **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**. + + ![bluetooth pairing passcode](images/bt-passcode.png) + +3. On the PC, tap **Yes**. + +**Sign in to PC using the phone** + + +1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to. + > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account. + + ![select a device](images/phone-signin-device-select.png) +   +2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account. + +**Connect to VPN** + +You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) + diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md new file mode 100644 index 0000000000..a7606f0264 --- /dev/null +++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md @@ -0,0 +1,83 @@ +--- +title: Why a PIN is better than a password (Windows 10) +description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . +ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 +keywords: pin, security, password, hello +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- + +# Why a PIN is better than a password + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password? +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works. + + +## PIN is tied to the device +One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! + +Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. + +## PIN is local to the device + +A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. +When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. + +>[!NOTE] +>For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928). +  +## PIN is backed by hardware + +The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM. + +User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. + +The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. + +## PIN can be complex + +The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits. + +## What if someone steals the laptop or phone? + +To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. +You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins. + +**Configure BitLocker without TPM** +1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: + + **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** + +2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.** +3. Go to Control Panel > **System and Security** > **BitLocker Drive Encryption** and select the operating system drive to protect. +**Set account lockout threshold** +1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: + + **Computer Configuration** >**Windows Settings** ?**Security Settings** >**Account Policies** > **Account Lockout Policy** > **Account lockout threshold** + +2. Set the number of invalid logon attempts to allow, and then click OK. + +## Why do you need a PIN to use biometrics? +Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. + +If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello. + +## Related topics + +- [Windows Hello for Business](hello-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 31ea44aebd..20c4be5a7e 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-in-organization --- # Implement Windows Hello for Business in your organization @@ -17,363 +17,3 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. - ->[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, version 1607. -> ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. Learn more in the blog post [Changes to Convenience PIN/Windows Hello Behavior in Windows 10, version 1607](https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/). -> ->Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business. -  -## Group Policy settings for Windows Hello for Business - -The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. Be aware that not all settings are in both places. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyOptions
Use Windows Hello for Business -

Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

-

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

-

Disabled: Device does not provision Windows Hello for Business for any user.

-
Use a hardware security device -

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-

Enabled: Windows Hello for Business will only be provisioned using TPM.

-

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-
Use biometrics -

Not configured: Biometrics can be used as a gesture in place of a PIN.

-

Enabled: Biometrics can be used as a gesture in place of a PIN.

-

Disabled: Only a PIN can be used as a gesture.

-
PIN ComplexityRequire digits -

Not configured: Users must include a digit in their PIN.

-

Enabled: Users must include a digit in their PIN.

-

Disabled: Users cannot use digits in their PIN.

-
Require lowercase letters -

Not configured: Users cannot use lowercase letters in their PIN.

-

Enabled: Users must include at least one lowercase letter in their PIN.

-

Disabled: Users cannot use lowercase letters in their PIN.

-
Maximum PIN length -

Not configured: PIN length must be less than or equal to 127.

-

Enabled: PIN length must be less than or equal to the number you specify.

-

Disabled: PIN length must be less than or equal to 127.

-
Minimum PIN length -

Not configured: PIN length must be greater than or equal to 4.

-

Enabled: PIN length must be greater than or equal to the number you specify.

-

Disabled: PIN length must be greater than or equal to 4.

-
Expiration -

Not configured: PIN does not expire.

-

Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.

-

Disabled: PIN does not expire.

-
History -

Not configured: Previous PINs are not stored.

-

Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.

-

Disabled: Previous PINs are not stored.

-
Note  Current PIN is included in PIN history.
-
 
-
Require special characters -

Not configured: Users cannot include a special character in their PIN.

-

Enabled: Users must include at least one special character in their PIN.

-

Disabled: Users cannot include a special character in their PIN.

-
Require uppercase letters -

Not configured: Users cannot include an uppercase letter in their PIN.

-

Enabled: Users must include at least one uppercase letter in their PIN.

-

Disabled: Users cannot include an uppercase letter in their PIN.

-
Phone Sign-in -

Use Phone Sign-in

-
Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
 
-		 -

Not configured: Phone sign-in is disabled.

-

Enabled: Users can use a portable, registered device as a companion device for desktop authentication.

-

Disabled: Phone sign-in is disabled.

-
- -## MDM policy settings for Windows Hello for Business - -The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070). - ->[!IMPORTANT] ->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyScopeDefaultOptions
UsePassportForWorkDeviceTrue -

True: Windows Hello for Business will be provisioned for all users on the device.

-

False: Users will not be able to provision Windows Hello for Business.

-
Note  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
-
 
-
RequireSecurityDeviceDeviceFalse -

True: Windows Hello for Business will only be provisioned using TPM.

-

False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-
Biometrics -

UseBiometrics

-		Device False -

True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.

-

False: Only a PIN can be used as a gesture for domain sign-in.

-
-

FacialFeaturesUser

-

EnhancedAntiSpoofing

-		DeviceNot configured -

Not configured: users can choose whether to turn on enhanced anti-spoofing.

-

True: Enhanced anti-spoofing is required on devices which support it.

-

False: Users cannot turn on enhanced anti-spoofing.

-
PINComplexity
Digits Device or user2 -

1: Numbers are not allowed.

-

2: At least one number is required.

-
Lowercase letters Device or user1 -

1: Lowercase letters are not allowed.

-

2: At least one lowercase letter is required.

-
Maximum PIN length Device or user127 -

Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.

-
Minimum PIN lengthDevice or user4 -

Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.

-
Expiration Device or user0 -

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. -

-
HistoryDevice or user0 -

Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. -

-
Special charactersDevice or user1 -

1: Special characters are not allowed.

-

2: At least one special character is required.

-
Uppercase lettersDevice or user1 -

1: Uppercase letters are not allowed.

-

2: At least one uppercase letter is required

-
Remote -

UseRemotePassport

-
Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
 
-		Device or userFalse -

True: Phone sign-in is enabled.

-

False: Phone sign-in is disabled.

-
- ->[!NOTE]   -> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN. -  -## Prerequisites - -You’ll need this software to set Windows Hello for Business policies in your enterprise. - ------ - - - - - - - - - - - - - - - - - - - -
Windows Hello for Business modeAzure ADAzure AD/AD hybrid (available with production release of Windows Server 2016)
Key-based authentication[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)
    -
  • [Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)
    • -
  • [Azure AD Connect](https://docs.microsoft.com/azure/active-directory/active-directory-aadconnect)
    • -
  • A few Windows Server 2016 domain controllers on-site
    • -
  • A management solution, such as [Configuration Manager](https://docs.microsoft.com/sccm/index), Group Policy, or MDM
    • -
  • [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) without Network Device Enrollment Service (NDES)
    • -
Certificate-based authentication
    -
  • [Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)
    • -
  • Intune or non-Microsoft mobile device management (MDM) solution
    • -
  • [PKI infrastructure](https://msdn.microsoft.com/library/windows/desktop/bb427432(v=vs.85).aspx)
    • -
    -
  • [Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)
    • -
  • [Azure AD Connect](https://docs.microsoft.com/azure/active-directory/active-directory-aadconnect)
    • -
  • [AD CS](https://technet.microsoft.com/windowsserver/dd448615.aspx) with NDES
    • -
  • [Configuration Manager](https://docs.microsoft.com/sccm/index) for domain-joined certificate enrollment, or [InTune](https://docs.microsoft.com/intune/deploy-use/control-microsoft-passport-settings-on-devices-with-microsoft-intune) for non-domain-joined devices, or a non-Microsoft MDM service that supports Hello for Business
    • -
-  -Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business. - -[Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-passport) provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. - -[Learn more about enabling Windows Hello for Business in an Azure AD/AD hybrid environment.](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-passport-deployment) - - -## Windows Hello for BYOD - -Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and used this PIN for access to work resources. - -The PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The PIN can also be managed using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](https://go.microsoft.com/fwlink/p/?LinkID=623244). - -## Related topics - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) -  diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index aee90f46a5..db8b674702 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -16,9 +16,9 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure. ## In this section | Topic | Description | -| - | - | +| --- | --- | | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. | -| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | +| [Windows Hello for Business](hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. | | [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index 013355ffa6..813dde388c 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -27,7 +27,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi - [Turn on or turn off the TPM](#turn-on-or-turn-off) -This topic also provides information about [using the TPM cmdlets](#use-the-tpm-cmdlets). +For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). ## About TPM initialization and ownership @@ -150,11 +150,7 @@ If you want to stop using the services that are provided by the TPM, you can use ## Use the TPM cmdlets -If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: - -`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` - -For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). ## Related topics diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 18f8399a2b..81cef9cc41 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification --- # Manage identity verification using Windows Hello for Business @@ -16,112 +16,3 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. - ->[!NOTE] -> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Hello addresses the following problems with passwords: -- Passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials. -- Passwords can be subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). -- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674). - -Hello lets users authenticate to: -- a Microsoft account. -- an Active Directory account. -- a Microsoft Azure Active Directory (Azure AD) account. -- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication - -After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services. - -As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization. - - - - -## The difference between Windows Hello and Windows Hello for Business - -- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by certificate-based authentication. - -- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication. - -- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication. Support for key-based or certificate-based authentication is on the roadmap for a future release. - -## Benefits of Windows Hello - -Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed. - -You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials. - -In Windows 10, Hello replaces passwords. The Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software. - -![how authentication works in windows hello](images/authflow.png) - -Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. - -Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs. - -Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. - -> [!NOTE] ->  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -  -## How Windows Hello for Business works: key points - -- Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device. -- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step. -- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. -- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device. -- Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process. -- PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates. -- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. -- Certificate private keys can be protected by the Hello container and the Hello gesture. - - -## Comparing key-based and certificate-based authentication - -Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello. - -Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM. -EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected. - -When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported. - -## Learn more - -[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy - -[What's new in Active Directory Domain Services for Windows Server 2016](https://go.microsoft.com/fwlink/p/?LinkId=708533) - -[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024) - -[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995) - -[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890) - -[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891) - -[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778) - -[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928) - -## Related topics - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) -  diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md index 71f3c2229e..c95d30f931 100644 --- a/windows/keep-secure/manage-tpm-commands.md +++ b/windows/keep-secure/manage-tpm-commands.md @@ -77,11 +77,7 @@ The following procedures describe how to manage the TPM command lists. You must ## Use the TPM cmdlets -If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: - -`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` - -For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). ## Related topics diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md index 3f5e966157..76b1ee2bae 100644 --- a/windows/keep-secure/manage-tpm-lockout.md +++ b/windows/keep-secure/manage-tpm-lockout.md @@ -78,11 +78,7 @@ For information about mitigating dictionary attacks that use the lockout setting ## Use the TPM cmdlets -If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: - -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** - -For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). ## Related topics diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md index 128f1ffe29..fffa48b90f 100644 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ b/windows/keep-secure/microsoft-passport-and-password-changes.md @@ -7,48 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-and-password-changes --- # Windows Hello and password changes -**Applies to** -- Windows 10 -- Windows 10 Mobile - -When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. - -## Example - -Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account. -Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part. - -Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated. -> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md). -  -## How to update Hello after you change your password on another device - -1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.** -2. Click **OK.** -3. Click **Sign-in options**. -4. Click the **Password** button. -5. Sign in with new password. -6. The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN. - -## Related topics - -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) -  \ No newline at end of file diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md index 3e4fbfbedf..aa890d3cd9 100644 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md @@ -8,232 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-errors-during-pin-creation --- # Windows Hello errors during PIN creation -**Applies to** -- Windows 10 -- Windows 10 Mobile - -When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. - -## Where is the error code? - -The following image shows an example of an error during **Create a PIN**. - -![](images/pinerror.png) - -## Error mitigations - -When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps. -1. Try to create the PIN again. Some errors are transient and resolve themselves. -2. Sign out, sign in, and try to create the PIN again. -3. Reboot the device and then try to create the PIN again. -4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** > **System** > **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](https://go.microsoft.com/fwlink/p/?LinkId=715697). -5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697). -If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HexCauseMitigation
0x801C044DAuthorization token does not contain device IDUnjoin the device from Azure AD and rejoin
0x80090036User cancelled an interactive dialogUser will be asked to try again
0x80090011The container or key was not foundUnjoin the device from Azure AD and rejoin
0x8009000FThe container or key already existsUnjoin the device from Azure AD and rejoin
0x8009002ANTE_NO_MEMORYClose programs which are taking up memory and try again.
0x80090005NTE_BAD_DATAUnjoin the device from Azure AD and rejoin
0x80090029TPM is not set up.Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**.
0x80090031NTE_AUTHENTICATION_IGNOREDReboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650)
0x80090035Policy requires TPM and the device does not have TPM.Change the Passport policy to not require a TPM.
0x801C0003User is not authorized to enrollCheck if the user has permission to perform the operation​.
0x801C000ERegistration quota reached

Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933).

0x801C000FOperation successful but the device requires a rebootReboot the device.
0x801C0010The AIK certificate is not valid or trustedSign out and then sign in again.
0x801C0011The attestation statement of the transport key is invalidSign out and then sign in again.
0x801C0012Discovery request is not in a valid formatSign out and then sign in again.
0x801C0015The device is required to be joined to an Active Directory domain​Join the device to an Active Directory domain.
0x801C0016The federation provider configuration is emptyGo to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.
0x801C0017​The federation provider domain is emptyGo to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.
0x801C0018The federation provider client configuration URL is emptyGo to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.
0x801C03E9Server response message is invalidSign out and then sign in again.
0x801C03EAServer failed to authorize user or device.Check if the token is valid and user has permission to register Passport keys.
0x801C03EBServer response http status is not validSign out and then sign in again.
0x801C03ECUnhandled exception from server.sign out and then sign in again.
0x801C03ED

Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed

-

-or-

-

Token was not found in the Authorization header

-

-or-

-

Failed to read one or more objects

-

-or-

The request sent to the server was invalid.

Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
0x801C03EEAttestation failedSign out and then sign in again.
0x801C03EFThe AIK certificate is no longer validSign out and then sign in again.
​0x801C044DUnable to obtain user tokenSign out and then sign in again. Check network and credentials.
0x801C044EFailed to receive user creds inputSign out and then sign in again.
-  -## Errors with unknown mitigation -For errors listed in this table, contact Microsoft Support for assistance. - -| Hex | Cause | -|-------------|-------------------------------------------------------------------------------------------------------| -| 0x80072f0c | Unknown | -| 0x80070057 | Invalid parameter or argument is passed | -| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. | -| 0x8009002D | NTE\_INTERNAL\_ERROR | -| 0x80090020 | NTE\_FAIL | -| 0x801C0001 | ​ADRS server response is not in valid format | -| 0x801C0002 | Server failed to authenticate the user | -| 0x801C0006 | Unhandled exception from server | -| 0x801C000C | Discovery failed | -| 0x801C001B | ​The device certificate is not found | -| 0x801C000B | Redirection is needed and redirected location is not a well known server | -| 0x801C0019 | ​The federation provider client configuration is empty | -| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty | -| 0x801C0013 | Tenant ID is not found in the token | -| 0x801C0014 | User SID is not found in the token | -| 0x801C03F1 | There is no UPN in the token | -| 0x801C03F0 | ​There is no key registered for the user | -| 0x801C03F1 | ​There is no UPN in the token | -| ​0x801C044C | There is no core window for the current thread | -  - -## Related topics - -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index d2737b9630..faa85f4206 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -8,7 +8,7 @@ ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: security author: challum -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification --- # Microsoft Passport guide @@ -16,383 +16,3 @@ localizationpriority: high **Applies to** - Windows 10 -This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10, version 1511 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout. - ->[!NOTE] ->For information about Windows Hello for Business in Windows 10, version 1607, see [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md). - -A fundamental assumption about information security is that a system can identify who’s using it. In identifying a user, the system can decide whether the user has identified himself or herself appropriately (a process known as authentication), and then determine what that properly authenticated user should be able to do (a process known as authorization). The overwhelming majority of computer systems deployed throughout the world depend on user credentials as a means of making authentication and authorization decisions, and that means that these systems depend on reusable, user-created passwords for their security. The oft-cited maxim that authentication can involve “something you know, something you have, or something you are” neatly highlights the issue: a reusable password is an authentication factor all by itself, so anyone who knows the password can impersonate the user who owns it. - -## Problems with traditional credentials - -Ever since the mid-1960s, when Fernando Corbató and his team at the Massachusetts Institute of Technology championed the introduction of the password, users and administrators have had to deal with the use of passwords for user authentication and authorization. Over time, the state of the art for password storage and use has advanced somewhat (with password hashing and salt being the two most noticeable improvements), but we’re still faced with two serious problems: passwords are easy to clone and easy to steal. Implementation faults may render them insecure, and users have a hard time balancing convenience and security. - -**Credential theft** - -The biggest risk of passwords is simple: an attacker can steal them easily. Every place a password is entered, processed, or stored is vulnerable. For example, an attacker can steal a collection of passwords or hashes from an authentication server by eavesdropping on network traffic to an application server, by implanting malware in an application or on a device, by logging user keystrokes on a device, or by watching to see which characters a user types — and those are just the most common attack methods. One can enact more exotic attacks to steal one or many passwords. - -The risk of theft is driven by the fact that the authentication factor the password represents is the password. Without additional authentication factors, the system assumes that anyone who knows the password is the authorized user. -Another, related risk is that of credential replay, in which an attacker captures a valid credential by eavesdropping on an insecure network, and then replays it later to impersonate a valid user. Most authentication protocols (including Kerberos and OAuth) protect against replay attacks by including a time stamp in the credential exchange process, but that protects the token that the authentication system issues, not the password that the user provides to get the ticket in the first place. - -**Credential reuse** - -The common approach of using an email address as the user name makes a bad problem worse. An attacker who successfully recovers a user name–password pair from a compromised system can then try that same pair on other systems. Surprisingly often, this tactic works to allow attackers to springboard from a compromised system into other systems. The use of email addresses as user names leads to other problems, too, which we’ll explore later in this guide. - -### - -**Trading convenience for complexity** -Most security is a tradeoff between convenience and security: the more secure a system is, the less convenient it will typically be for users. Although system designers and implementers have a broad range of tools to make their systems more secure, users get a vote, too. When users perceive that a security mechanism gets in the way of what they want to do, they often look for ways to circumvent it. This behavior leads to an arms race of sorts, with users adopting strategies to minimize the effort required to comply with their organization’s password policies as those policies evolve. - -**Password complexity** - -If the major risk to passwords is that an attacker might guess them through brute-force analysis, it might seem reasonable to require users to include a broader character set in their passwords or make them longer, but as a practical matter, password length and complexity requirements have two negative side effects. First, they encourage password reuse. Estimates by [Herley, Florêncio, and van Oorschot](https://go.microsoft.com/fwlink/p/?LinkId=627392) calculate that the stronger a password is, the more likely it is to be reused. Because users put more effort into the creation and memorization of strong passwords, they are much more likely to use the same credential across multiple systems. Second, adding length or character set complexity to passwords does not necessarily make them more difficult to guess. For example, P@ssw0rd1 is nine characters long and includes uppercase and lowercase letters, numbers, and special characters, but it’s easily guessed by many of the common password-cracking tools now available on the Internet. These tools can attack passwords by using a pre-computed dictionary of common passwords, or they can start with a base word such as password, and then apply common character substitutions. A completely random eight-character password might therefore actually take longer to guess than P@ssw0rd123. - -**Password expiration** - -Because a reusable password is the only authentication factor in password-based systems, designers have attempted to reduce the risk of credential theft and reuse. One common method for doing so is the use of limited-lifetime passwords. Some systems allow for passwords that can be used only once, but by far the more common approach is to make passwords expire after a certain period. Limiting the useful lifetime of a password puts a cap on how long a stolen password will be useful to an attacker. This practice helps protect against cases where a long-lived password is stolen, held, and used for a long time, but it also harkens back to the time when password cracking was impractical for everyone except nation state-level attackers. A smart attacker would attempt to steal passwords rather than crack them because of the time penalty associated with password cracking. -The widespread availability of commodity password-cracking tools and the massive computing power available through mechanisms such as GPU-powered crackers or distributed cloud-based cracking tools has reversed this equation so that it is often more effective for an attacker to crack a password than to try to steal it. In addition, the widespread availability of self-service [password-reset mechanisms](#password-reset) means that an attacker needs only a short window of time during which the password is valid to change the password and thus reset the validity period. Relatively few enterprise networks provide self-service password-reset mechanisms, but they are common for Internet services. In addition, many users use the secure credential store on Windows and Mac OS X systems to store valuable passwords for Internet services, so an attacker who can compromise the operating system password may be able to obtain a treasure trove of other service passwords at no cost. -Finally, overly short timelines for password expiration can tempt users to make small changes in their passwords at each expiration period — for example, moving from password123 to password456 to password789. This approach reduces the work necessary to crack the password, especially if the attacker knows any of the old passwords. - -### - -**Password-reset mechanisms** - -To let users better manage their own passwords, some services provide a way for users to change their own password. Some implementations require users to log on with their current password, while others allow users to select the **Forgot my password** option, which sends an email to the user’s registered email address. The problem with these mechanisms is that many of them are implemented such that an attacker can exploit them. For example, an attacker who can successfully guess or steal a user’s email password can merrily request password resets for all of the victim’s other accounts, because the reset emails go to the compromised account. For this reason, most enterprise networks are configured so that only administrators can reset user passwords; for example, Active Directory supports the use of a **Password must be changed on next logon** flag so that after the administrator resets a password, the user can reset the password only after providing the administrator-set password. Some mobile device management (MDM) systems support similar functionality for mobile devices. - -**User password carelessness** - -An insidious problem makes these design and implementation weaknesses worse: some users just aren’t careful with their passwords. They write them down in insecure locations, choose easy-to-guess passwords, take minimal (if any) precautions against malware, or even give their passwords to other people. These users aren’t necessarily careless because they don’t care; they want to get things done, and overly stringent password length or expiration policies or too many passwords hinders them. - -**Mitigate credential risks** - -Given the issues described so far, it might seem obvious that reusable passwords are a security hazard. The argument is simple: adding authentication factors reduces the value of the passwords themselves, because even a successful password theft won’t let an attacker log on to a system unless he or she also has the associated additional factors. Unfortunately, this simple argument has many practical complications. Security and operating system vendors have tried to solve the problems that reusable credentials pose for decades — with limited success. -The most obvious mitigation to the risks reusable passwords pose is to add one or more authentication factors. At different times over the past 30 years, different vendors have attempted to solve this problem by calling for the use of biometric identifiers (including fingerprints, iris and retina scans, and hand geometry), software-based and hardware-based tokens, physical and virtual smart cards, and voice or Short Message Service (SMS) authentication through the user’s mobile phone. A detailed description of each of these authenticators and its pros and cons is outside the scope of this guide, but no matter which authentication method you choose, core challenges have limited adoption of all Multi-Factor Authentication (MFA) solutions, including: -- **Infrastructure complexity and cost.** Any system that requires the user to provide an additional authentication factor at the point of access has to have a way to collect that information. Although it’s possible to retrofit fielded hardware by adding fingerprint readers, eye scanners, smart card readers, and so on, few enterprises have been willing to take on the cost and support burden required to do so. -- **Lack of standardization.** Although Microsoft included operating system–level smart card support as part of the Windows Vista operating system, smart card and reader vendors were free to continue to ship their own drivers, as were manufacturers of other authentication devices. Lack of standardization led to both application and support fragmentation, which means that it wasn’t always possible to mix and match solutions within an enterprise, even when the manufacturers of those solutions advertised them as being compatible. -- **Backward compatibility.** Retrofitting already-deployed operating systems and applications to use MFA has proven an extremely difficult task. Nearly three years after its release, Microsoft Office 2013 is finally getting support for MFA. The vast majority of both commercial and custom line-of-business (LOB) applications will never be retrofitted to take advantage of any authentication system other than what the underlying operating system provides. -- **User inconvenience.** Solutions that require users to obtain, keep track of, and use physical tokens are often unpopular. If users have to have a particular token for remote access or other scenarios that are supposed to make things more convenient, they tend to become quickly dissatisfied with the burden of keeping up with an additional device. This pushback is multiplied for solutions that have to be attached to computers (such as smart card readers) because such solutions introduce problems of portability, driver support, and operating system and application integration. -- **Device compatibility.** Not every hardware form factor supports every authentication method. For example, despite occasional feeble efforts from vendors, no market for mobile phone-compatible smart card readers ever emerged. -So when Microsoft first implemented smart cards as an authenticator for remote network access, one key limitation was that employees could log on only from desktop or laptop computers that had smart card readers. Any authentication method that relies on additional hardware or software may run into this problem. For example, several popular “soft token” systems rely on mobile apps that run on a limited number of mobile hardware platforms. -Another pesky problem has to do with institutional knowledge and maturity. Strong authentication systems are complex. They have lots of components, and they can be expensive to design, maintain, and operate. For some enterprises, the additional cost and overhead of maintaining an in-house public key infrastructure (PKI) to issue smart cards or the burden of managing add-on devices exceeds the value they perceive in having stronger authentication. This is a special case of the common problem that financial institutions face: if the cost of fraud reduction is higher than the cost of the fraud itself, it’s hard to justify the economics of better fraud-prevention measures. - -## Solve credential problems - -Solving the problems that passwords pose is tricky. Tightening password policies alone won’t do it: users may just recycle, share, or write down passwords. Although user education is critical for authentication security, education alone doesn’t eliminate the problem, either. - -As you’ve seen, additional authenticators won’t necessarily help if the new authentication systems add complexity, cost, or fragility. In Windows 10, Microsoft addresses these problems with two new technologies: Windows Hello and Microsoft Passport. Working together, these technologies help increase both security and user convenience: -- Microsoft Passport replaces passwords with strong two-factor authentication (2FA) by verifying existing credentials and by creating a device-specific credential that a user gesture (either biometric or PIN-based) protects. This combination effectively replaces physical and virtual smart cards as well as reusable passwords for logon and access control. -- Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ Microsoft Passport credentials. - -## What is Windows Hello? - -Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10. Because it is built directly into the operating system, Windows Hello allows face or fingerprint identification to unlock users’ devices. Authentication happens when the user supplies his or her unique biometric identifier to access the device-specific Microsoft Passport credentials, which means that an attacker who steals the device can’t log on to it unless that attacker has the PIN. The Windows secure credential store protects biometric data on the device. By using Windows Hello to unlock a device, the authorized user gains access to all of his or her Windows experience, apps, data, websites, and services. - -The Windows Hello authenticator is known as a Hello. A Hello is unique to the combination of an individual device and a specific user; it doesn’t roam among devices, isn’t shared with a server, and cannot easily be extracted from a device. If multiple users share a device, each user gets a unique Hello for that device. You can think of a Hello as a token you can use to unlock (or release) a stored credential: the Hello itself doesn’t authenticate you to an app or service, but it releases credentials that can. - -At the launch of Windows 10, the operating system supported three Hello types: -- **PIN.** Before you can use Windows Hello to enable biometrics on a device, you must choose a PIN as your initial Hello gesture. After you’ve set a PIN, you can add biometric gestures if you want to. You can always use the PIN gesture to release your credentials, so you can still unlock and use your device even if you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. -- **Facial recognition.** This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. -- **Fingerprint recognition.** This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. -Biometric data used to implement these Hello gestures is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. Breaches that expose biometrics collected and stored for other uses (such as fingerprints collected and stored for law enforcement or background check purposes) don’t pose a significant threat: an attacker who steals biometrics literally has only a template of the identifier, and that template cannot easily be converted to a form that the attacker can present to a biometric sensor. The data path for Windows Hello-compatible sensors is resistant to tampering, too, which further reduces the chance that an attacker will be able to successfully inject faked biometric data. In addition, before an attacker can even attempt to inject data into the sensor pipeline, that attacker must gain physical access to the device — and an attacker who can do that can mount several other, less difficult attacks. -Windows Hello offers several major benefits. First, when combined with Microsoft Passport, it effectively solves the problems of credential theft and sharing. Because an attacker must obtain both the device and the selected biometric, it is much more difficult to gain access without the user’s knowledge. Second, the use of biometrics means that users benefit from having a simple authenticator that’s always with them: there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, secure method for signing in to all their Windows devices. Finally, in many cases, there’s nothing additional to deploy or manage to use Windows Hello (although Microsoft Passport may require additional deployment, as described later in this guide). Windows Hello support is built directly into the operating system, and users or enterprises can add compatible biometric devices to provide biometric gesture recognition, either as part of a coordinated rollout or as individual users or groups decide to add the necessary sensors. Windows Hello is part of Windows, so no additional deployment is required to start using it. - -## What is Microsoft Passport? - -Windows Hello provides a robust way for a device to recognize an individual user; that addresses the first part of the path between a user and a requested service or data item. After the device has recognized the user, however, it still must authenticate the user before deciding whether to grant access to a requested resource. Microsoft Passport provides strong 2FA, fully integrated into Windows, that replaces reusable passwords with the combination of a specific device and a Hello or PIN. Microsoft Passport isn’t just a replacement for traditional 2FA systems, though. It’s conceptually similar to smart cards: authentication is performed by using cryptographic primitives instead of string comparisons, and the user’s key material is secure inside tamper-resistant hardware. Microsoft Passport doesn’t require the extra infrastructure components required for smart card deployment, either. In particular, you don’t need a PKI if you don’t currently have one. Microsoft Passport combines the major advantage of smart cards — deployment flexibility for virtual smart cards and robust security for physical smart cards — without any of their drawbacks. - -Microsoft Passport offers four significant advantages over the current state of Windows authentication: it’s more flexible, it’s based on industry standards, it’s an effective risk mitigator, and it’s ready for the enterprise. Let’s look at each of these advantages in more detail. - -**It’s flexible** - -Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate. -Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section). - -**It’s standardized** - -Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end. The future lies with open, interoperable systems that allow secure authentication across a variety of devices, LOBs, and external applications and websites. To this end, a group of industry players formed the Fast IDentity Online Alliance (FIDO), a nonprofit organization intended to address the lack of interoperability among strong authentication devices as well as the problems users face when they have to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security. For more information, see the [FIDO Alliance website](https://go.microsoft.com/fwlink/p/?LinkId=627393). - -In 2013, Microsoft joined the FIDO Alliance. FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong passwordless authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: passwordless (known as the Universal Authentication Framework \[UAF\]) and 2nd Factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals to combine the best parts of the U2F and UAF FIDO 1.0 standards. Microsoft is actively contributing to the proposals, and Windows 10 is a reference implementation of these concepts. In addition to supporting those protocols, the Windows implementation covers other aspects of the end-to-end experience that the specification does not cover, including user interface to, storage of, and protection for users’ device keys and the tokens issued after authentication; supporting administrator policies; and providing deployment tools. Microsoft expects to continue working with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike. - -**It’s effective** - -Microsoft Passport effectively mitigates two major security risks. First, by eliminating the use of reusable passwords for logon, it reduces the risk that a user’s credential will be copied or reused. On devices that support the Trusted Platform Module (TPM) standard, user key material can be stored in the user device’s TPM, which makes it more difficult for an attacker to capture the key material and reuse it. For devices that lack TPM, Microsoft Passport can encrypt and store credential data in software, but administrators can disable this feature to force a “TPM or nothing” deployment. -Second, because Microsoft Passport doesn’t depend on a single, centralized server, the risk of compromise from a breach of that server is removed. Although an attacker could theoretically compromise a single device, there’s no single point of attack that an intruder can leverage to gain widespread access to the environment. - -**It’s enterprise-ready** - -Every edition of Windows 10 includes Microsoft Passport functionality for individual use; enterprise and personal users can take advantage of Microsoft Passport to protect their individual credentials with compatible applications and services. In addition, enterprises whose users are running Windows 10 Professional and Windows 10 Enterprise have the ability to use Microsoft Passport for Work, an enhanced version of Microsoft Passport that includes the ability to centrally manage Microsoft Passport settings for PIN strength and biometric use through Group Policy Objects (GPOs). - -## How Microsoft Passport works - -To use Microsoft Passport to sign in with an identity provider (IDP), a user needs a configured device, which means that the Microsoft Passport life cycle starts when you configure a device for Microsoft Passport use. When the device is set up, its user can use the device to authenticate to services. In this section, we explore how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. - -**Register a new user or device** - -A goal of Microsoft Passport is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Microsoft Passport as registration. -> **Note:**  This is separate from the organizational configuration required to use Microsoft Passport with Active Directory or Azure AD; that configuration is discussed later in this guide. This configuration must be completed before users can begin to register. -  -The registration process works like this: -1. The user configures an account on the device. - This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as logging on with a Microsoft account. Logging on with a Microsoft account on a Windows 10 device automatically sets up Microsoft Passport on the device; users don’t have to do anything extra to enable it. -2. To log on using that account, the user has to enter the existing credentials for it. - The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. -3. When the user has provided the proof to the IDP, the user enables PIN authentication (Figure 1). - The PIN will be associated with this particular credential. - - ![figure 1](images/passport-fig1.png) - - Figure 1. Set up a PIN in the **Account Settings** control panel item - - When the user sets the PIN, it becomes usable immediately (Figure 2). - - ![figure 2](images/passport-fig2-pinimmeduse.png) - - Figure 2. When set, the PIN is immediately usable - -Remember that Microsoft Passport depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Microsoft Passport supports are: - -- A user who upgrades from the Windows 8.1 operating system will log on by using his or her existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN. -- A user who typically uses a smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to. -- A user who typically uses a virtual smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to. - -When the user has completed this process, Microsoft Passport generates a new public–private key pair on the device. The TPM generates and stores this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Microsoft Passport also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. - -At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely log on to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future logons can then use either the PIN or the registered biometric gestures. - -**What’s a container?** - -You’ll often hear the term *container* used in reference to MDM solutions. Microsoft Passport uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 supports two containers: the default container holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and the enterprise container holds credentials associated with a workplace or school account. - -The enterprise container exists only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. The enterprise container contains only key data for Active Directory or Azure AD. If the enterprise container is present on a device, it’s unlocked separately from the default container, which maintains separation of data and access across personal and enterprise credentials and services. For example, a user who uses a biometric gesture to log on to a managed computer can separately unlock his or her personal container by entering a PIN when logging on to make a purchase from a website. -These containers are logically separate. Organizations don’t have any control over the credentials users store in the default container, and applications that authenticate against services in the default container can’t use credentials from the enterprise container. However, individual Windows applications can use the Microsoft Passport application programming interfaces (APIs) to request access to credentials as appropriate, so that both consumer and LOB applications can be enhanced to take advantage of Microsoft Passport. - -It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Microsoft Passport stores are protected without the creation of actual containers or folders. - -Each container actually contains a set of keys, some of which are used to protect other keys. Figure 3 shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. - -![figure 3](images/passport-fig3-logicalcontainer.png) - -Figure 3. Each logical container holds one or more sets of keys - -Containers can contain several types of key material: - -- An *authentication key*, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. -- *Virtual smart card keys* are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked. -- *Secure/Multipurpose Internet Mail Extensions (S/MIME) keys and certificates*, which a certification authority (CA) generates. The keys associated with the user’s S/MIME certificate can be stored in a Microsoft Passport container so they’re available to the user whenever the container is unlocked. -- The *IDP key*. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container as illustrated in Figure 3. For certificate-based Microsoft Passport for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this machine to the IDP. IDP keys are typically long lived but could have a shorter lifetime than the authentication key. -Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: -- The IDP key pair can be associated with an enterprise CA through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://go.microsoft.com/fwlink/p/?LinkId=733947). In this case, Microsoft Passport requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Microsoft Passport in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. -- The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Microsoft Passport in environments that don’t have or need a PKI. - -**How keys are protected** - -Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Microsoft Passport for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Microsoft Passport and Microsoft Passport for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the machine can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. - -Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. - -**Authentication** - -When a user wants to access protected key material — perhaps to use an Internet site that requires a logon or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called *releasing the key*. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN. -This process unlocks the protector key for the primary container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. - -These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or log on to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Microsoft Passport layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device. - -The actual authentication process works like this: - -1. The client sends an empty authentication request to the IDP. (This is merely for the handshake process.) -2. The IDP returns a challenge, known as a *nonce*. -3. The device signs the nonce with the appropriate private key. -4. The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce. -5. The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original. -6. If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key. -7. The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token. -8. The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication. - -When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices. - -Remote unlock, which is planned for a future release of Windows 10, builds on these scenarios by enabling seamless remote authentication from a mobile device as a second factor. For example, suppose that you’re visiting another office at your company and you need to borrow a computer there temporarily, but you don’t want to potentially expose your credentials to capture. Rather than type in your credentials, you can click **other user** on the Windows 10 logon screen, type your user name, pick the tile for remote authentication, and use an app on your phone, which you already unlocked by using its built-in facial-recognition sensors. The phone and computer are paired and handshake via Bluetooth, you type your authentication PIN on the phone, and the computer gets confirmation of your identity from the IDP. All this happens without typing a password anywhere or typing your PIN on the PC. - -**The infrastructure** - -Microsoft Passport depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities: -- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to devices. You can use NDES to register devices directly, Microsoft System Center Configuration Manager Technical Preview or later for on-premises environments, or Microsoft Intune where it’s available to manage mobile device participation in Microsoft Passport. -- You can configure Windows Server 2016 Technical Preview domain controllers to act as IDPs for Microsoft Passport. In this mode, the Windows Server 2016 Technical Preview domain controllers act as IDPs alongside any existing Windows Server 2008 R2 or later domain controllers. There is no requirement to replace all existing domain controllers, merely to introduce at least one Windows Server 2016 Technical Preview domain controller per Active Directory site and update the forest Active Directory Domain Services (AD DS) schema to Windows Server 2016 Technical Preview. -- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Microsoft Passport IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 Technical Preview domain controllers required. -- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. -In addition to the IDP, Microsoft Passport requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the [Deployment requirements](#deployreq) section of this document. - -## Design a Microsoft Passport for Work deployment - -Microsoft Passport for Work is designed for integration with your existing and future directory infrastructure and device deployments, but this flexibility means there are many considerations to think about when you design your deployment. Some of these decisions are technical, while others are organizational or even political. In this section, we examine the key points where you have to make decisions about how to implement Microsoft Passport for Work. Remember, individual devices can use the individual version of Microsoft Passport without any infrastructure changes on your part. Microsoft Passport for Work allows you to control and centrally manage user authentication and device registration. To use the initial version of Microsoft Passport for Work, each device must have an Azure AD identity, so automatic registration of devices provides a means both to register new devices and to apply optional policies to manage Microsoft Passport for Work. - -**One deployment strategy** - -Different organizations will necessarily take different approaches to the deployment of Microsoft Passport depending on their capabilities and needs, but there is only one strategy: deploy Microsoft Passport for Work throughout the organization to get maximum protection for the maximum number of devices and resources. Organizations can take one of three basic routes to accomplish that strategy: - -- Deploy Microsoft Passport for Work everywhere according to whatever device or user deployment strategy works best for the organization. -- Deploy Microsoft Passport for Work first to high-value or high-risk targets, by using conditional access policies to restrict access to key resources only to users who hold strong authentication credentials. -- Blend Microsoft Passport for Work into an existing multi-factor environment, using it as an additional form of strong authentication alongside physical or virtual smart cards. - -**Deploy Microsoft Passport for Work everywhere** - -In this approach, you deploy Microsoft Passport throughout the organization in a coordinated rollout. In some ways, this method is similar to any other desktop deployment project; the only real difference is that you must already have the Microsoft Passport infrastructure in place to support device registration before you can start using Microsoft Passport on Windows 10 devices. - -> **Note:**  You can still upgrade to Windows 10 or add new Windows 10 devices without changing your infrastructure. You just can’t use Microsoft Passport for Work on a device until the device joins Azure AD and receives the appropriate policy. -  -The major benefit of this approach is that it provides uniform protection for all parts of the organization. Sophisticated attackers have shown a great deal of skill in breaching large organizations by identifying weak points in their security, including users and systems that don’t have high-value information but that can be exploited to get it. Applying consistent protection across every device that an attacker could use to access enterprise data is excellent protection against these types of attacks. - -The downside to this approach is its complexity. Smaller organizations may find that managing the rollout of a new operating system across all devices is beyond the scope of their experience and capability. For these organizations, users can self-upgrade, and new users may end up with Windows 10 because they get new devices when they join. Larger organizations, especially those that are highly decentralized or have operations across many physical sites, may have more deployment knowledge and resources but face the challenge of coordinating rollout efforts across a larger user base and footprint. - -For more information about desktop deployment of Windows 10, visit the [Windows 10 TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=626581). - -One key aspect of this deployment strategy is how to get Windows 10 in users’ hands. Because different organizations have wildly differing strategies to refresh hardware and software, there’s no one-size-fits-all strategy. For example, some organizations pursue a coordinated strategy that puts new desktop operating systems in users’ hands every 2–3 years on existing hardware, supplementing with new hardware only where and when required. Others tend to replace hardware and deploy whatever version of the Windows client operating system ships on the purchased devices. In both cases, there are typically separate deployment cycles for servers and server operating systems, and the desktop and server cycles may or may not be coordinated. - -In addition to the issue of Windows 10 deployment to users, you must consider how and when (or if!) you’ll deploy biometric devices to users. Because Windows Hello can take advantage of multiple biometric identifiers, you have a flexible range of device options, which includes the purchase of new devices that incorporate your selected biometric, seeding select users with appropriate devices, rollout of biometric devices as part of a scheduled hardware refresh and using PIN gestures until users get devices, or relying on remote unlock as a second authentication factor. - -**Deploy to high-value or high-risk targets** - -This strategy takes into account the fact that in most networks, not every asset is equally protected or equally valuable. There are two ways to think about this. One is that you can focus on protecting the users and services that are most at risk of compromise because of their value. Examples include sensitive internal databases or the user accounts of your key executives. The other option is that you can focus on areas of your network that are the most vulnerable, such as users who travel frequently (and thus run a higher risk of lost or stolen devices or drive-by credential theft). Either way, the strategy is the same: selectively and quickly deploy Microsoft Passport to protect specific people and resources. For example, you might issue new Windows 10 devices with biometric sensors to all users who need access to a sensitive internal database, and then deploy the minimum required infrastructure to support Microsoft Passport–secured access to that database for those users. - -One of the key design capabilities of Microsoft Passport for Work is that it supports Bring Your Own Device (BYOD) environments by allowing users to register their own devices with the organizational IDP (whether on premises, hybrid, or Azure AD). You may be able to take advantage of this capability to quickly deploy Microsoft Passport to protect your most vulnerable users or assets, ideally by using biometrics as an additional safety measure for the most valuable potential targets. - -**Blend Microsoft Passport with your infrastructure** - -Organizations that have already invested in smart cards, virtual smart cards, or token-based systems can still benefit from Microsoft Passport. Of those organizations, many use physical tokens and smart cards to protect only critical assets because of the expense and complexity of their deployment. Microsoft Passport offers a valuable complement to these systems because it protects users who currently rely on reusable credentials; protection of all users’ credentials is an important step toward blunting attacks that seek to leverage compromise of any credential into a widespread breach. This approach also gives you a great deal of flexibility in scheduling and deployment. -Some enterprises have deployed multi-use smart cards that provide building-access control, access to copiers or other office equipment, stored value for lunchroom purchases, remote network access, and other services. Deployment of Microsoft Passport in such environments doesn’t prevent you from continuing to use smart cards for these services. You can leave the existing smart card infrastructure in place for its existing use cases, and then register desktop and mobile devices in Microsoft Passport and use Microsoft Passport to secure access to network and Internet resources. This approach requires a more complicated infrastructure and a greater degree of organizational maturity because it requires you to link your existing PKI with an enrollment service and Microsoft Passport itself. - -Smart cards can act as a useful complement to Microsoft Passport in another important way: to bootstrap the initial logon for Microsoft Passport registration. When a user registers with Microsoft Passport on a device, part of that registration process requires a conventional logon. Rather than using a traditional password, organizations that have previously deployed the necessary infrastructure for smart cards or virtual smart cards can allow their users to register new devices by logging on with a smart card or virtual smart card. After the user has proved his or her identity to the organizational IDP with the smart card, the user can set up a PIN and proceed to use Microsoft Passport for future logons. - -**Choose a rollout method** - -Which rollout method you choose depends on several factors: - -- **How many devices you need to deploy.** This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities. -- **How quickly you want to deploy Microsoft Passport for Work protection.** This is a classic cost–benefit tradeoff. You have to balance the security benefits of Microsoft Passport for Work against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Microsoft Passport coverage in the shortest time possible maximizes security benefits. -- **The type of devices you want to deploy.** Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Microsoft Passport first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle. -- **What your current infrastructure looks like.** The individual version of Microsoft Passport doesn’t require changes to your Active Directory environment, but to support Microsoft Passport for Work, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right. -- **Your plans for the cloud.** If you’re already planning a move to the cloud, Azure AD eases the process of Microsoft Passport for Work deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Microsoft Passport for Work will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Microsoft Passport for Work from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Microsoft Passport for Work services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make. - -### - -**Deployment requirements** - -Table 1 lists six scenarios for deployment of Microsoft Passport for Work in the enterprise. The initial release of Windows 10 supports Azure AD–only scenarios, with support for on-premises Microsoft Passport for Work planned for a future release (see the [Roadmap](#roadmap) section for more details). - -Depending on the scenario you choose, Microsoft Passport for Work deployment may require four elements: - -- An organizational IDP that supports Microsoft Passport. This can be Azure AD or a set of on-premises Windows Server 2016 Technical Preview domain controllers in an existing AD DS forest. Using Azure AD means that you can establish hybrid identity management, with Azure AD acting as a Microsoft Passport IDP and your on-premises AD DS environment handling older authentication requests. This approach provides all the flexibility of Azure AD with the ability to manage computer accounts and devices running older versions of Windows and on-premises applications such as Microsoft Exchange Server or Microsoft SharePoint. -- If you use certificates, an MDM system is required to allow policy management of Microsoft Passport for Work. Domain-joined devices in on-premises or hybrid deployments require Configuration Manager Technical Preview or later. Deployments with Azure AD must use either Intune or a compatible non-Microsoft MDM solution. -- On-premises deployments require the forthcoming Active Directory Federation Services (AD FS) version included in Windows Server 2016 Technical Preview to support provisioning of Microsoft Passport credentials to devices. In this scenario, AD FS takes the place of the provisioning that Azure AD performs in cloud-based deployments. -- Certificate-based Microsoft Passport deployments require a PKI, including CAs that are accessible to all devices that need to register. If you deploy certificate-based Microsoft Passport on premises, you don’t actually need Windows Server 2016 Technical Preview domain controllers. On-premises deployments do need to apply the Windows Server 2016 Technical Preview AD DS schema and have the Windows Server 2016 Technical Preview version of AD FS installed. -Table 1. Deployment requirements for Microsoft Passport - - ------ - - - - - - - - - - - - - - - - - - - -
Microsoft Passport methodAzure ADHybrid Active Directory
Key-based

Azure AD subscription

    -
  • Azure AD subscription
    • -
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • -
  • A few Windows Server 2016 Technical Preview domain controllers on-site
    • -
  • A management solution, such as Configuration Manager, Group Policy, or MDM
    • -
  • Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)
    • -
Certificate-based

Azure AD subscription

-

PKI infrastructure

-

Intune

    -
  • Azure AD subscription
    • -
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • -
  • AD CS with NDES
    • -
  • Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • -
-  -Note that the current release of Windows 10 supports the Azure AD–only (RTM) and hybrid scenarios (RTM + November Update). Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities. - -**Select policy settings** - -Another key aspect of Microsoft Passport for Work deployment involves the choice of which policy settings to apply to the enterprise. There are two parts to this choice: which policies you deploy to manage Microsoft Passport itself and which policies you deploy to control device management and registration. A complete guide to selecting effective policies is beyond the scope of this guide, but one example reference that may be useful is [Mobile device management capabilities in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733877). - -## Implement Microsoft Passport - -No configuration is necessary to use Windows Hello or Microsoft Passport on individual user devices if those users just want to protect their personal credentials. Unless the enterprise disables the feature, users have the option to use Microsoft Passport for their personal credentials, even on devices that are registered with an organizational IDP. However, when you make Microsoft Passport for Work available for users, you must add the necessary components to your infrastructure, as described earlier in the [Deployment requirements](#deployreq) section. - -**How to use Azure AD** - -There are three scenarios for using Microsoft Passport for Work in Azure AD–only organizations: -- **Organizations that use the version of Azure AD included with Office 365.** For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network (Figure 4), the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. -- **Organizations that use the free tier of Azure AD.** For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the **Connect to work or school** dialog box shown in Figure 4 will be automatically registered with Microsoft Passport for Work support, but previously joined devices will not be registered. -- **Organizations that have subscribed to Azure AD Premium have access to the full set of Azure AD MDM features.** These features include controls to manage Microsoft Passport for Work. You can set policies to disable or force the use of Microsoft Passport for Work, require the use of a TPM, and control the length and strength of PINs set on the device. - - ![figure 4](images/passport-fig4-join.png) - - Figure 4: Joining an Office 365 organization automatically registers the device in Azure AD - -**Enable device registration** - -If you want to use Microsoft Passport at Work with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Microsoft Passport for Work with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. -**Set Microsoft Passport policies** - -As of the initial release of Windows 10, you can control the following settings for the use of Microsoft Passport for Work: -- You can require that Microsoft Passport be available only on devices that have TPM security hardware, which means the device uses TPM 1.2 or TPM 2.0. -- You can enable Microsoft Passport with a hardware-preferred option, which means that keys will be generated on TPM 1.2 or TPM 2.0 when available and by software when TPM is not available. -- You can configure whether certificate-based Microsoft Passport is available to users. You do this as part of the device deployment process, not through a separately applied policy. -- You can define the complexity and length of the PIN that users generate at registration. -- You can control whether Windows Hello use is enabled in your organization. - -These settings can be implemented through GPOs or through configuration service providers (CSPs) in MDM systems, so you have a familiar and flexible set of tools you can use to apply them to exactly the users you want. (For details about the Microsoft Passport for Work CSP, see [PassportForWork CSP)](https://go.microsoft.com/fwlink/p/?LinkId=733876). - -## Roadmap - -The speed at which Universal Windows apps and services evolve means that the traditional design-build-test-release cycle for Windows is too slow to meet customers’ needs. As part of the release of Windows 10, Microsoft is changing how it engineers, tests, and distributes Windows. Rather than large, monolithic releases every 3–5 years, the Windows engineering team is committed to smaller, more frequent releases to get new features and services into the marketplace more rapidly without sacrificing security, quality, or usability. This model has worked well in Office 365 and the Xbox ecosystem. - -In the Windows 10 initial release, Microsoft supports the following Microsoft Passport and Windows Hello features: - -- Biometric authentication, with fingerprint readers that use the Windows fingerprint reader framework -- Facial-recognition capability on devices that have compatible IR-capable cameras -- Microsoft Passport for personal credentials on individually owned and corporate-managed devices -- Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments -- Group Policy settings to control Microsoft Passport PIN length and complexity - -In future releases of Windows 10, we plan to add support for additional features: -- Additional biometric identifier types, including iris recognition -- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments -- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates -- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake) -- Group Policy and MDM settings to control Microsoft Passport PIN length and complexity - -In the November 2015 release, Microsoft supports the following Microsoft Passport and Windows Hello features: - -- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments - -- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates - -In future releases of Windows 10, we plan to add support for additional features: - -- Key-based and certificate-based Microsoft Passport for Work credentials for on-premises AD deployments - -- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake) - -In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers. -  -  diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index 55a3242e78..7125de6f76 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -24,6 +24,8 @@ localizationpriority: high There are some minimum requirements for onboarding your network and endpoints. ## Minimum requirements +You must be on Windows 10, version 1607 at a minimum. +For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy). ### Network and data storage and configuration requirements When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter. @@ -33,6 +35,7 @@ When you run the onboarding wizard for the first time, you must choose where you - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. ### Endpoint hardware and software requirements + The Windows Defender ATP agent only supports the following editions of Windows 10: - Windows 10 Enterprise diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md index 0f98929851..b686486083 100644 --- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md @@ -17,7 +17,22 @@ ms.sitesec: library - Windows 10, version 1607 - Windows Server 2016 -Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. +Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code. + +> [!IMPORTANT] +> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization’s required apps. + +The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are: + +- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](windows-10-security-guide.md#data-execution-prevention). + +- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. + +- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](windows-10-security-guide.md#address-space-layout-randomization). + + To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`. + +The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings. **To modify Process Mitigation Options** diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md index 25c9b86986..f516f124d0 100644 --- a/windows/keep-secure/passport-event-300.md +++ b/windows/keep-secure/passport-event-300.md @@ -8,47 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-event-300 --- # Event ID 300 - Windows Hello successfully created -**Applies to** -- Windows 10 -- Windows 10 Mobile - -This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. - -## Event details -| | | -|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Product:** | Windows 10 operating system | -| **ID:** | 300 | -| **Source:** | Microsoft Azure Device Registration Service | -| **Version:** | 10 | -| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. -Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} | -  -## Resolve - -This is a normal condition. No further action is required. - -## Related topics - -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index f6419c6ced..9594deccca 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -8,109 +8,10 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-prepare-people-to-use --- # Prepare people to use Windows Hello -**Applies to** -- Windows 10 -- Windows 10 Mobile - -When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. - -After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. - -Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello. - -People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello. - -## On devices owned by the organization - -When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. - -![who owns this pc](images/corpown.png) - -Next, they select a way to connect. Tell the people in your enterprise which option they should pick here. - -![choose how you'll connect](images/connect.png) - -They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length. - -After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on. - -## On personal devices - -People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. - -People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device. - -## Using Windows Hello and biometrics - -If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. - -![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) - -## Use a phone to sign in to a PC or VPN - -If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials. - -> [!NOTE] -> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -  -**Prerequisites:** - -- Both phone and PC must be running Windows 10, version 1607. -- The PC must be running Windows 10 Pro, Enterprise, or Education -- Both phone and PC must have Bluetooth. -- The **Microsoft Authenticator** app must be installed on the phone. -- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. -- The phone must be joined to Azure AD or have a work account added. -- The VPN configuration profile must use certificate-based authentication. - -**Pair the PC and phone** - -1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing. - - ![bluetooth pairing](images/btpair.png) - -2. On the phone, go to **Settings** > **Devices** > **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**. - - ![bluetooth pairing passcode](images/bt-passcode.png) - -3. On the PC, tap **Yes**. - -**Sign in to PC using the phone** - - -1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to. - > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account. - - ![select a device](images/phone-signin-device-select.png) -   -2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account. - -**Connect to VPN** - -You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. - -## Related topics - -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md index a8f2f46557..0ae8111073 100644 --- a/windows/keep-secure/remote-credential-guard.md +++ b/windows/keep-secure/remote-credential-guard.md @@ -34,7 +34,7 @@ Use the following table to compare different security options for Remote Desktop > [!NOTE] > This table compares different options than are shown in the previous diagram. -| Remote Desktop with Credential Delegation | Remote Credential Guard | Restricted Admin mode | +| Remote Desktop | Remote Credential Guard | Restricted Admin mode | |---|---|---| | Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. | | Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). | diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md index efb080c89c..044bb0c1be 100644 --- a/windows/keep-secure/tpm-fundamentals.md +++ b/windows/keep-secure/tpm-fundamentals.md @@ -67,11 +67,7 @@ The TPM can be used to protect certificates and RSA keys. The TPM key storage pr ## TPM Cmdlets -If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command: - -`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` - -For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). ## Physical presence interface diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md index 4fb387f147..1640262ffd 100644 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md @@ -8,69 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-why-pin-is-better-than-password --- # Why a PIN is better than a password -**Applies to** -- Windows 10 -- Windows 10 Mobile - -Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works. - - -## PIN is tied to the device -One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! - -Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. - -## PIN is local to the device - -A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. -When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. -> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928). -  -## PIN is backed by hardware - -The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM. - -User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. - -The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. - -## PIN can be complex - -The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits. - -## What if someone steals the laptop or phone? - -To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. -You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins. - -**Configure BitLocker without TPM** -1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** - -2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.** -3. Go to Control Panel > **System and Security** > **BitLocker Drive Encryption** and select the operating system drive to protect. -**Set account lockout threshold** -1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: - - **Computer Configuration** >**Windows Settings** ?**Security Settings** >**Account Policies** > **Account Lockout Policy** > **Account lockout threshold** - -2. Set the number of invalid logon attempts to allow, and then click OK. - -## Why do you need a PIN to use biometrics? -Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. - -If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello. - -## Related topics - -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) -  \ No newline at end of file diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md index a5c487491c..0ed2aa1d28 100644 --- a/windows/keep-secure/windows-10-enterprise-security-guides.md +++ b/windows/keep-secure/windows-10-enterprise-security-guides.md @@ -34,10 +34,6 @@ Get proven guidance to help you better secure and protect your enterprise by usi

[Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)

This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.

- -

[Microsoft Passport guide](microsoft-passport-guide.md)

-

This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.

-

[Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)

This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.

diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md index ca368e846f..379a453284 100644 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ b/windows/keep-secure/windows-hello-in-enterprise.md @@ -8,84 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: jdeckerMS -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-biometrics-in-enterprise --- # Windows Hello biometrics in the enterprise -**Applies to:** - -- Windows 10 - -Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. - -> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. - -##How does Windows Hello work? -Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. - -The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. - -## Why should I let my employees use Windows Hello? -Windows Hello provides many benefits, including: - -- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge. - -- Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords! - -- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic. - -## Where is Microsoft Hello data stored? -The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor. - -## Has Microsoft set any device requirements for Windows Hello? -We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: - -- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm. - -- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. - -### Fingerprint sensor requirements -To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional). - -**Acceptable performance range for small to large size touch sensors** - -- False Accept Rate (FAR): <0.001 – 0.002% - -- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -**Acceptable performance range for swipe sensors** - -- False Accept Rate (FAR): <0.002% - -- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -### Facial recognition sensors -To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). - -- False Accept Rate (FAR): <0.001 - -- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -## Related topics -- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) -- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) -- [Microsoft Passport guide](microsoft-passport-guide.md) -- [Prepare people to use Windows Hello for Work](prepare-people-to-use-microsoft-passport.md) -- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219) - -  - -  - - - - - diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index a794ec798f..837fac6dda 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -14,6 +14,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). +## February 2017 + +| New or changed topic | Description | +| --- | --- | +| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. | + ## January 2017 | New or changed topic | Description | @@ -24,8 +30,6 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. | | [Manage device restarts after updates](waas-restart.md) | Added Registry keys for controlling restarts. | - - ## December 2016 | New or changed topic | Description | diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md index cf6a6dab79..2ccace55f5 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -15,17 +15,18 @@ localizationpriority: medium **Applies to** -- Windows 10 +- Windows 10 +- Windows 10 Mobile **Looking for consumer information?** - [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. > **Note:** Customized taskbar configuration cannot be applied using MDM at this time. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. **Warning**   When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 8ec42b3218..7cc8395f8b 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -15,18 +15,19 @@ localizationpriority: medium **Applies to** -- Windows 10 +- Windows 10 +- Windows 10 Mobile **Looking for consumer information?** - [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -In Windows 10 Enterprise and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. >[!IMPORTANT] >If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. ## How Start layout control works @@ -48,14 +49,12 @@ Three features enable Start and taskbar layout control: Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. 1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 2. Choose **Advanced provisioning**. - - 3. Name your project, and click **Next**. 4. Choose **All Windows desktop editions** and click **Next**. diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c7c8415926..83ba743e69 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,8 +25,9 @@ If you want to minimize connections from Windows to Microsoft services, or confi You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. ## What's new in Windows 10, version 1607 and Windows Server 2016 @@ -1359,5 +1360,3 @@ You can turn off automatic updates by doing one of the following. This is not re - **5**. Turn off automatic updates. To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). - -To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md index 9626d2e24f..fcb36d20f6 100644 --- a/windows/manage/waas-configure-wufb.md +++ b/windows/manage/waas-configure-wufb.md @@ -182,9 +182,9 @@ Below are quick-reference tables of the supported Windows Update for Business po | MDM Key | Key type | Value | | --- | --- | --- | | BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)
32: systems take Feature Updates for the Current Branch for Business (CBB)
Note: Other value or absent: receive all applicable updates (CB) | -| DeferQualityUpdatesPeriod | REG_DWORD | 0-30: defer quality updates by given days | +| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days | | PauseQualityUpdates | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | -| DeferFeatureUpdatesPeriod | REG_DWORD | 0-180: defer feature updates by given days | +| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days | | PauseFeatureUpdates | REG_DWORD | 1: pause feature updates
Other value or absent: don’t pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers | diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 9b3dc0a522..b1701d80d9 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -19,6 +19,10 @@ localizationpriority: high Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. +Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet. + +For more details, see [Download mode](#download-mode). + >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. @@ -33,17 +37,19 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op Several Delivery Optimization features are configurable. + + ### Download mode (DODownloadMode) Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. | Download mode option | Functionality when set | | --- | --- | -| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. | +| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | -| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. | +| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. | >[!NOTE] diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index f42352f643..7e62bcbf3a 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -190,6 +190,13 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
+## Block user access to Windows Update settings + +In Windows 10, administrators can control user access to Windows Update. +By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. + +>[!NOTE] +> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform. ## Related topics diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md new file mode 100644 index 0000000000..1608798dce --- /dev/null +++ b/windows/manage/windows-libraries.md @@ -0,0 +1,128 @@ +--- +ms.assetid: e68cd672-9dea-4ff8-b725-a915f33d8fd2 +title: Windows Libraries +ms.prod: windows-server-threshold +ms.author: jgerend +ms.manager: dongill +ms.technology: storage +ms.topic: article +author: jasongerend +ms.date: 2/6/2017 +description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. +--- +> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 + +# Windows Libraries + +Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. + +## Features for Users + +Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users: +- Aggregate content from multiple storage locations into a single, unified presentation. +- Enable users to stack and group library contents based on metadata. +- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu. +- Support customized filter search suggestions, based on the types of files contained in the library. +- Enable users to create new libraries and specify which folders they want to include. + +## Features for Administrators + +Administrators can configure and control Windows libraries in the following ways: +- Create custom libraries by creating and deploying Library Description (*.library-ms) files. +- Hide or delete the default libraries. (The Library node itself cannot be hidden or deleted from the Windows Explorer navigation pane.) +- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. +- Specify locations to include in a library. +- Remove a default location from a library. +- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](https://technet.microsoft.com/library/dd744693.aspx#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources. + +## More about Libraries + +The following is important information about libraries you may need to understand to successfully manage your enterprise. + +### Library Contents + +Including a folder in a library does not physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files. + +### Default Libraries and Known Folders + +The default libraries include: +- Documents +- Music +- Pictures +- Videos + +Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with. These known folders are automatically included in the default libraries and set as the default save location. That is, when users drag, copy, or save a file to the Documents library, the file is moved, copied, or saved to the My Documents folder. Administrators and users can change the default save-to location. + +### Hiding Default Libraries + +Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_HideDefaultLibraries) for instructions. + +### Default Save Locations for Libraries + +Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. +If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations cannot be saved to, then the save operation fails. + +### Indexing Requirements and “Basic” Libraries + +Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing is not enabled for one or more locations within a library, the entire library reverts to basic functionality: +- No support for metadata browsing via **Arrange By** views. +- Grep-only searches. +- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**. +- No support for searching from the Start menu. Start menu searches do not return files from basic libraries. +- No previews of file snippets for search results returned in Content mode. + +To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally. + +For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_EnableIndexLocations). + +If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx). + +### Folder Redirection + +While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](https://technet.microsoft.com/library/hh848267.aspx). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. + +### Supported storage locations + +The following table show which locations are supported in Windows libraries. + +|Supported Locations|Unsupported Locations| +|---|---| +|Fixed local volumes (NTFS/FAT)|Removable drives| +|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)

Network shares that are accessible through DFS Namespaces or are part of a failover cluster| +|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed

Network Attached Storage (NAS) devices| +||Other data sources: SharePoint, Exchange, etc.| + +\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: + +- Expected maximum load is four concurrent query requests. +- Expected indexing corpus is a maximum of one million documents. +- Users directly access the server. That is, the server is not made available through DFS Namespaces. +- Users are not redirected to another server in case of failure. That is, server clusters are not used. + +### Library Attributes + +The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms): +- Name +- Library locations +- Order of library locations +- Default save location + +The library icon can be modified by the administrator or user by directly editing the Library Description schema file. + +See the [Library Description Schema](http://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files. + +## See also + +### Concepts + +- [Windows Search Features ](https://technet.microsoft.com/library/dd744686.aspx) +- [Windows Indexing Features](https://technet.microsoft.com/library/dd744700.aspx) +- [Federated Search Features](https://technet.microsoft.com/library/dd744682.aspx) +- [Administrative How-to Guides](https://technet.microsoft.com/library/ee461108.aspx) +- [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx) +- [Additional Resources for Windows Search, Browse, and Organization](https://technet.microsoft.com/library/dd744695.aspx) + +### Other resources + +- [Folder Redirection, Offline Files, and Roaming User Profiles](https://technet.microsoft.com/library/hh848267.aspx) +- [Library Description Schema](https://msdn.microsoft.com/library/dd798389.aspx) diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index c672a255a8..4944339989 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) ## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index ff170bce3b..b64a85a590 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10 (Windows 10) -description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. +description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more. ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"] ms.prod: w10 @@ -15,6 +15,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) - [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) - [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 92c077d28e..6121188e6d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -13,7 +13,9 @@ localizationpriority: high Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. -> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +>[!NOTE] +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +  ## Deployment diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 2a85e07f4d..1c6c94f739 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -14,7 +14,9 @@ localizationpriority: high Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). -> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +>[!NOTE] +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +    ## Deployment diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md new file mode 100644 index 0000000000..3d06a1b80a --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -0,0 +1,23 @@ +--- +title: What's new in Windows 10, version 1607 (Windows 10) +description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile. +keywords: ["What's new in Windows 10", "Windows 10", "creators update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: TrudyHa +localizationpriority: high +--- + +# What's new in Windows 10, version 1703 + +Below is a list of some of the new and updated features in Windows 10, version 1703 (also known as the Creators Update). + +>[!NOTE] +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +  + + +## Learn more + +- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)