Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.
| -| Self-managed | When you use the the **Self-managed** mode for drivers and firmware, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.Self-managed mode turns off Windows Autopatch’s automatic driver deployment. Instead, the Administrator controls the driver deployment.
The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.
The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.
| +| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.Self-managed mode turns off Windows Autopatch’s automatic driver deployment. Instead, the Administrator controls the driver deployment.
The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.
The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.
| ## Set driver and firmware updates to Automatic or Self-managed mode diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md index 5c0649bc8e..21a44e576c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md @@ -1,7 +1,7 @@ --- title: Microsoft Teams description: This article explains how Microsoft Teams updates are managed in Windows Autopatch -ms.date: 05/30/2022 +ms.date: 09/15/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index 425952dd5a..5ac998067b 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -55,7 +55,7 @@ For more information and assistance with preparing for your Windows Autopatch de | [Register devices](../deploy/windows-autopatch-register-devices.md)Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| -|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
+|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise or Pro or Education|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings
These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
index eeac8ba0d1..ac710efb7a 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@@ -27,7 +27,8 @@ Standalone mode is applicable for:
- Windows 10 Enterprise edition, version 1709 and later
- Windows 10 Pro edition, version 1803 and later
-- Windows 11 and later
+- Windows 10 Education edition, version 1809 and later
+- Windows 11 Enterprise, Education, or Pro editions
## Enterprise-managed mode
@@ -36,7 +37,8 @@ You and your security department can define your corporate boundaries by explici
Enterprise-managed mode is applicable for:
- Windows 10 Enterprise edition, version 1709 and later
-- Windows 11 and later
+- Windows 10 Education edition, version 1809 and later
+- Windows 11 Enterprise or Education editions
The following diagram shows the flow between the host PC and the isolated container.
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
index 190662392c..e27e886eea 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -34,6 +34,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1809 or later
Windows 10 Professional edition, version 1809 or later
Windows 10 Professional for Workstations edition, version 1809 or later
Windows 10 Professional Education edition, version 1809 or later
Windows 10 Education edition, version 1809 or later
Windows 11 Education, Enterprise, and Professional editions |
+| Operating system | Windows 10 Enterprise or Education editions, version 1809 or later
Windows 10 Professional edition, version 1809 or later (only [standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported)
Windows 11 Education or Enterprise editions
Windows 11 Professional edition (only [Standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported) |
| Browser | Microsoft Edge |
| Management system
(only for managed devices)| [Microsoft Intune](/intune/)
**OR**
[Microsoft Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
index 02bb837f09..928d31e27b 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
@@ -47,10 +47,11 @@ Windows Sandbox has the following properties:
2. Enable virtualization on the machine.
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
+ - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host:
```powershell
Set-VMProcessor -VMName Not configured: Device doesn't provision Windows Hello for Business for any user. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device doesn't provision Windows Hello for Business for any user.|
-|Use a hardware security device|Computer| Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available. Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|Use certificate for on-premises authentication|Computer or user| Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication. Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication. Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
-|Use PIN recovery|Computer| Added in Windows 10, version 1703 Not configured: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset Disabled: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
-|Use biometrics|Computer| Not configured: Biometrics can be used as a gesture in place of a PIN Enabled: Biometrics can be used as a gesture in place of a PIN. Disabled: Only a PIN can be used as a gesture.|
+|Use Windows Hello for Business|Computer or user|- **Not configured**: Device doesn't provision Windows Hello for Business for any user. Not configured: Users must include a digit in their PIN. Enabled: Users must include a digit in their PIN. Disabled: Users can't use digits in their PIN.|
-|Require lowercase letters|Computer| Not configured: Users can't use lowercase letters in their PIN Enabled: Users must include at least one lowercase letter in their PIN. Disabled: Users can't use lowercase letters in their PIN.|
-|Maximum PIN length|Computer| Not configured: PIN length must be less than or equal to 127. Enabled: PIN length must be less than or equal to the number you specify. Disabled: PIN length must be less than or equal to 127.|
-|Minimum PIN length|Computer| Not configured: PIN length must be greater than or equal to 4. Enabled: PIN length must be greater than or equal to the number you specify. Disabled: PIN length must be greater than or equal to 4.|
-|Expiration|Computer| Not configured: PIN doesn't expire. Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. Disabled: PIN doesn't expire.|
-|History|Computer| Not configured: Previous PINs aren't stored. Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. Disabled: Previous PINs aren't stored. Not configured: Windows allows, but doesn't require, special characters in the PIN. Enabled: Windows requires the user to include at least one special character in their PIN. Disabled: Windows doesn't allow the user to include special characters in their PIN.|
-|Require uppercase letters|Computer| Not configured: Users can't include an uppercase letter in their PIN. Enabled: Users must include at least one uppercase letter in their PIN. Disabled: Users can't include an uppercase letter in their PIN.|
+|Require digits|Computer|- **Not configured**: Users must include a digit in their PIN. True: Windows Hello for Business will be provisioned for all users on the device. False: Users won't be able to provision Windows Hello for Business. True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|ExcludeSecurityDevice TPM12|Device|False|Added in Windows 10, version 1703 True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
-|EnablePinRecovery|Device or use|False| Added in Windows 10, version 1703 True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|UsePassportForWork|Device or user|True|- True: Windows Hello for Business will be provisioned for all users on the device. True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. False: Only a PIN can be used as a gesture for domain sign-in.|
-| FacialFeaturesUser EnhancedAntiSpoofing|Device|Not configured| Not configured: users can choose whether to turn on enhanced anti-spoofing. True: Enhanced anti-spoofing is required on devices which support it. False: Users can't turn on enhanced anti-spoofing.|
+|UseBiometrics|Device |False|- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. 0: Digits are allowed. 1: At least one digit is required. 2: Digits aren't allowed.|
-|Lowercase letters |Device or user|2| 0: Lowercase letters are allowed. 1: At least one lowercase letter is required. 2: Lowercase letters aren't allowed.|
-|Special characters|Device or user|2| 0: Special characters are allowed. 1: At least one special character is required. 2: Special characters aren't allowed.|
-|Uppercase letters|Device or user|2| 0: Uppercase letters are allowed. 1: At least one uppercase letter is required. 2: Uppercase letters aren't allowed.|
-|Maximum PIN length |Device or user|127 | Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
-|Minimum PIN length|Device or user|6| Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
-|Expiration |Device or user|0| Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
-|History|Device or user|0| Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
+|Digits |Device or user|1 |- 0: Digits are allowed.
-Prevent changes to the BIOS settings|
+|**Hardware Rooted Trust Platform Secure Boot**|- Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby - Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification)|- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. - HSTI provides security assurance for correctly secured silicon and platform|
+|**Firmware Update through Windows Update**|- Firmware must support field updates through Windows Update and UEFI encapsulation update|Helps ensure that firmware updates are fast, secure, and reliable.|
+|**Securing Boot Configuration and Management**|- Required BIOS capabilities: ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software|- Enterprises can choose to allow proprietary EFI drivers/applications to run - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots|
+|**VBS enablement of No-Execute (NX) protection for UEFI runtime services**|- VBS enables NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet the following requirements: - Implement UEFI 2.6 `EFI_MEMORY_ATTRIBUTES_TABLE`. All UEFI runtime service memory (code and data) must be described by this table - PE sections must be page-aligned in memory (not required for in non-volatile storage). - The Memory Attributes Table needs to correctly mark code and data as `RO/NX` for configuration by the OS - All entries must include attributes `EFI_MEMORY_RO`, `EFI_MEMORY_XP`, or both. - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|- Vulnerabilities in UEFI runtime, if any, are blocked from compromising VBS (such as in functions like *UpdateCapsule* and *SetVariable*) - Reduces the attack surface to VBS from system firmware.|
+|**Firmware support for SMM protection**|- The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware
- Blocks additional security attacks against SMM|
+
+> [!IMPORTANT]
+>
+> Regarding **VBS enablement of NX protection for UEFI runtime services**:
+>
+> - It only applies to UEFI runtime service memory, and not UEFI boot service memory
+> - The protection is applied by VBS on OS page tables
+> - Don't use sections that are both writable and executable
+> - Don't attempt to directly modify executable system memory
+> - Don't use dynamic code
+
+## Restrict domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
### Kerberos armoring
-Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+
+To enable Kerberos armoring for restricting domain users to specific domain-joined devices:
-**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
-### Protecting domain-joined device secrets
+### Protect domain-joined device secrets
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
+
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- KDC EKU present
- - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+ - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
- Windows devices have the CA issuing the domain controller certificates in the enterprise store.
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
-#### Deploying domain-joined device certificates
+#### Deploy domain-joined device certificates
To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
-**Creating a new certificate template**
+**Create a new certificate template**
-1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
-2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
-3. Right-click the new template, and then click **Properties**.
-4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
-5. Click **Client Authentication**, and then click **Remove**.
-6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+1. From the Certificate Manager console, right-click **Certificate Templates > Manage**
+1. Right-click **Workstation Authentication > Duplicate Template**
+1. Right-click the new template, and then select **Properties**
+1. On the **Extensions** tab, select **Application Policies > Edit**
+1. Select **Client Authentication**, and then select **Remove**
+1. Add the ID-PKInit-KPClientAuth EKU. Select **Add > New**, and then specify the following values:
- Name: Kerberos Client Auth
- Object Identifier: 1.3.6.1.5.2.3.4
-7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
-8. Under **Issuance Policies**, click**High Assurance**.
-9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+1. On the **Extensions** tab, select **Issuance Policies > Edit**
+1. Under **Issuance Policies**, select **High Assurance**
+1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box
-Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
-**Enrolling devices in a certificate**
+**Enroll devices in a certificate**
Run the following command:
+
```powershell
CertReq -EnrollCredGuardCert MachineAuthentication
```
@@ -88,7 +117,7 @@ From a Windows PowerShell command prompt, run the following command:
.\set-IssuancePolicyToGroupLink.ps1 -IssuancePolicyName:"
- **Enabled with UEFI lock**
- **Enabled without lock** |
+
+>[!IMPORTANT]
+> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**.
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+> [!TIP]
+> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| **Setting name**: Turn On Virtualization Based Security
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value**: `1`|
+| **Setting name**: Credential Guard Configuration
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`
**Data type**: int
**Value**:
**Enabled with UEFI lock**: `1`
**Enabled without lock**: `2`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Configure Credential Guard with group policy
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard** |Turn On Virtualization Based Security | **Enabled** and select one of the options listed under the **Credential Guard Configuration** dropdown:
- **Enabled with UEFI lock**
- **Enabled without lock**|
+
+>[!IMPORTANT]
+> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**.
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Configure Credential Guard with registry settings
+
+To configure devices using the registry, use the following settings:
+
+| Setting |
+|--|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
**Key name**: `EnableVirtualizationBasedSecurity`
**Type**: `REG_DWORD`
**Value**: `1` (to enable Virtualization Based Security)|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
**Key name**: `RequirePlatformSecurityFeatures`
**Type**: `REG_DWORD`
**Value**:
`1` (to use Secure Boot)
`3` (to use Secure Boot and DMA protection) |
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
**Value**:
`1` (to enable Credential Guard with UEFI lock)
`2` (to enable Credential Guard without lock)|
+
+Restart the device to apply the change.
+
+> [!TIP]
+> You can enable Credential Guard by setting the registry entries in the [*FirstLogonCommands*](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
+
+---
+
+### Verify if Credential Guard is enabled
+
+Checking Task Manager if `LsaIso.exe` is running isn't a recommended method for determining whether Credential Guard is running. Instead, use one of the following methods:
+
+- System Information
+- PowerShell
+- Event Viewer
+
+#### System Information
+
+You can use *System Information* to determine whether Credential Guard is running on a device.
+
+1. Select **Start**, type `msinfo32.exe`, and then select **System Information**
+1. Select **System Summary**
+1. Confirm that **Credential Guard** is shown next to **Virtualization-based Security Services Running**
+
+#### PowerShell
+
+You can use PowerShell to determine whether Credential Guard is running on a device. From an elevated PowerShell session, use the following command:
+
+```powershell
+(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
+```
+
+The command generates the following output:
+
+- **0**: Credential Guard is disabled (not running)
+- **1**: Credential Guard is enabled (running)
+
+#### Event viewer
+
+Perform regular reviews of the devices that have Credential Guard enabled, using security audit policies or WMI queries.\
+Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filter the event sources for *WinInit*:
+
+:::row:::
+ :::column span="1":::
+ **Event ID**
+ :::column-end:::
+ :::column span="3":::
+ **Description**
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ 13 (Information)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+ ```
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ `14` (Information)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Credential Guard (LsaIso.exe) configuration: [**0x0** | **0x1** | **0x2**], **0**
+ ```
+ - The first variable: **0x1** or **0x2** means that Credential Guard is configured to run. **0x0** means that it's not configured to run.
+ - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ `15` (Warning)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running;
+ continuing without Credential Guard.
+ ```
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ `16` (Warning)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Credential Guard (LsaIso.exe) failed to launch: [error code]
+ ```
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ `17`
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Error reading Credential Guard (LsaIso.exe) UEFI configuration: [error code]
+ ```
+ :::column-end:::
+:::row-end:::
+
+The following event indicates whether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot`
+
+:::row:::
+ :::column span="1":::
+ **Event ID**
+ :::column-end:::
+ :::column span="3":::
+ **Description**
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ 51 (Information)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+ ```
+ :::column-end:::
+:::row-end:::
+
+If you're running with a TPM, the TPM PCR mask value is something other than 0.
+
+## Disable Credential Guard
+
+There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured:
+
+- Credential Guard running in a virtual machine can be [disabled by the host](#disable-credential-guard-for-a-virtual-machine)
+- If Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock)
+- If Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it:
+ - Microsoft Intune/MDM
+ - Group policy
+ - Registry
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Disable Credential Guard with Intune
+
+If Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting disables Credential Guard.
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Device Guard | Credential Guard | **Disabled** |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| **Setting name**: Credential Guard Configuration
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`
**Data type**: int
**Value**: `0`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Disable Credential Guard with group policy
+
+If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting disables Credential Guard.
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard** |Turn On Virtualization Based Security | **Disabled** |
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Disable Credential Guard with registry settings
+
+If Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys to disable it.
+
+| Setting |
+|-|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
**Value**: `0`|
+| **Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
**Value**: `0`|
+
+> [!NOTE]
+> Deleting these registry settings may not disable Credential Guard. They must be set to a value of 0.
+
+Restart the device to apply the change.
+
+---
+
+For information on disabling Virtualization-based Security (VBS), see [disable Virtualization-based Security](#disable-virtualization-based-security).
+
+### Disable Credential Guard with UEFI lock
+
+If Credential Guard is enabled with UEFI lock, follow this procedure since the settings are persisted in EFI (firmware) variables.
+
+> [!NOTE]
+> This scenario requires physical presence at the machine to press a function key to accept the change.
+
+1. Follow the steps in [Disable Credential Guard](#disable-credential-guard)
+1. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
+
+ ```cmd
+ mountvol X: /s
+ copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
+ bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
+ bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
+ mountvol X: /d
+ ```
+
+1. Restart the device. Before the OS boots, a prompt appears notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist.
+
+### Disable Credential Guard for a virtual machine
+
+From the host, you can disable Credential Guard for a virtual machine with the following command:
+
+```powershell
+Set-VMSecurity -VMName
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value**: `0`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Disable VBS with group policy
+
+Configure the policy used to enable VBS to **Disabled**.
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security** |Turn On Virtualization Based Security | **Disabled** |
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Disable VBS with registry settings
+
+Delete the following registry keys:
+
+| Setting |
+|--|
+| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
Key name: `EnableVirtualizationBasedSecurity` |
+| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
Key name: `RequirePlatformSecurityFeatures`|
+
+> [!IMPORTANT]
+> If you manually remove the registry settings, make sure to delete them all, otherwise the device might go into BitLocker recovery.
+
+Restart the device to apply the change.
+
+---
+
+If Credential Guard is enabled with UEFI Lock, the EFI variables stored in firmware must be cleared using the command `bcdedit.exe`. From an elevated command prompt, run the following commands:
+
+```cmd
+bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+bcdedit /set vsmlaunchtype off
+```
+
+## Next steps
+
+- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
+- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity
+[INT-1]: /mem/intune/configuration/settings-catalog
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
new file mode 100644
index 0000000000..26ee36124b
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -0,0 +1,235 @@
+---
+ms.date: 08/31/2023
+title: Considerations and known issues when using Credential Guard
+description: Considerations, recommendations and known issues when using Credential Guard.
+ms.topic: troubleshooting
+---
+
+# Considerations and known issues when using Credential Guard
+
+It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
+
+## Wi-fi and VPN considerations
+
+When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
+
+If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
+
+For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS).
+
+## Kerberos considerations
+
+When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
+Use constrained or resource-based Kerberos delegation instead.
+
+## Third party Security Support Providers considerations
+
+Some third party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
+It's recommended that custom implementations of SSPs/APs are tested with Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs.
+
+For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
+
+## Upgrade considerations
+
+As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
+
+Test scenarios required for operations in an organization before upgrading a device using Credential Guard.
+
+## Saved Windows credentials considerations
+
+*Credential Manager* allows you to store three types of credentials:
+
+- Windows credentials
+- Certificate-based credentials
+- Generic credentials
+
+Domain credentials that are stored in *Credential Manager* are protected with Credential Guard.
+
+Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network.
+
+The following considerations apply to the Credential Guard protections for Credential Manager:
+
+- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed*
+- Applications that extract Windows credentials fail
+- When credentials are backed up from a PC that has Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Credential Guard
+
+## TPM clearing considerations
+
+Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost.
+
+>[!WARNING]
+> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.
+>
+> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data.
+
+As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
+
+>[!NOTE]
+> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup.
+
+### Windows credentials saved to Credential Manager
+
+Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
+
+### Domain-joined device's automatically provisioned public key
+
+Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Also if any access control checks including authentication policies require devices to have either the `KEY TRUST IDENTITY (S-1-18-4)` or `FRESH PUBLIC KEY IDENTITY (S-1-18-3)` well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
+
+### Breaking DPAPI on domain-joined devices
+
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
+
+>[!IMPORTANT]
+> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
+
+Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
+If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
+
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
+
+|Credential Type | Behavior
+|---|---|---|
+| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
+| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. |
+
+Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
+
+#### Impact of DPAPI failures on Windows Information Protection
+
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
+
+**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+
+## Known issues
+
+Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled.
+
+This article describes known issues when Credential Guard is enabled.
+
+### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2
+
+Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
+
+#### Affected devices
+
+Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
+
+All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
+
+> [!TIP]
+> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
+> If it's present, the device enables Credential Guard after the update.
+>
+> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
+
+#### Cause of the issue
+
+Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:
+
+- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
+- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
+- MS-CHAP (only SSO is blocked)
+- WDigest (only SSO is blocked)
+- NTLM v1 (only SSO is blocked)
+
+> [!NOTE]
+> Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.
+
+#### How to confirm the issue
+
+MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs:
+
+:::row:::
+ :::column span="1":::
+ **Event ID (type)**
+ :::column-end:::
+ :::column span="3":::
+ **Description**
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ 4013 (Warning)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+
- **Enabled**: Device provisions Windows Hello for Business using keys or certificates for all users.
- **Disabled**: Device doesn't provision Windows Hello for Business for any user.|
+|Use a hardware security device|Computer|- **Not configured**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.
- **Enabled**: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.
- **Disabled**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
+|Use certificate for on-premises authentication|Computer or user|- **Not configured**: Windows Hello for Business enrolls a key that is used for on-premises authentication.
- **Enabled**: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.
- **Disabled**: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
+|Use PIN recovery|Computer|- Added in Windows 10, version 1703
- **Not configured**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service
- **Enabled**: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset
- **Disabled**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.
- For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|Use biometrics|Computer|- **Not configured**: Biometrics can be used as a gesture in place of a PIN
- **Enabled**: Biometrics can be used as a gesture in place of a PIN.
- **Disabled**: Only a PIN can be used as a gesture.|
### PIN Complexity
|Policy|Scope|Options|
|--- |--- |--- |
-|Require digits|Computer|
- **Enabled**: Users must include a digit in their PIN.
- **Disabled**: Users can't use digits in their PIN.|
+|Require lowercase letters|Computer|- **Not configured**: Users can't use lowercase letters in their PIN
- **Enabled**: Users must include at least one lowercase letter in their PIN.
- **Disabled**: Users can't use lowercase letters in their PIN.|
+|Maximum PIN length|Computer|- **Not configured**: PIN length must be less than or equal to 127.
- **Enabled**: PIN length must be less than or equal to the number you specify.
- **Disabled**: PIN length must be less than or equal to 127.|
+|Minimum PIN length|Computer|- **Not configured**: PIN length must be greater than or equal to 4.
- **Enabled**: PIN length must be greater than or equal to the number you specify.
- **Disabled**: PIN length must be greater than or equal to 4.|
+|Expiration|Computer|- **Not configured**: PIN doesn't expire.
- **Enabled**: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.
- **Disabled**: PIN doesn't expire.|
+|History|Computer|- **Not configured**: Previous PINs aren't stored.
- **Enabled**: Specify the number of previous PINs that can be associated to a user account that can't be reused.
- **Disabled**: Previous PINs aren't stored.
**Note** Current PIN is included in PIN history.
+|Require special characters|Computer|- **Not configured**: Windows allows, but doesn't require, special characters in the PIN.
- **Enabled**: Windows requires the user to include at least one special character in their PIN.
- **Disabled**: Windows doesn't allow the user to include special characters in their PIN.|
+|Require uppercase letters|Computer|- **Not configured**: Users can't include an uppercase letter in their PIN.
- **Enabled**: Users must include at least one uppercase letter in their PIN.
- **Disabled**: Users can't include an uppercase letter in their PIN.|
### Phone Sign-in
@@ -56,34 +56,34 @@ The following table lists the Group Policy settings that you can configure for W
The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](/windows/client-management/mdm/passportforwork-csp).
>[!IMPORTANT]
->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+>All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
|Policy|Scope|Default|Options|
|--- |--- |--- |--- |
-|UsePassportForWork|Device or user|True|
- False: Users won't be able to provision Windows Hello for Business.
**Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices|
+|RequireSecurityDevice|Device or user|False|- True: Windows Hello for Business will only be provisioned using TPM.
- False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
+|ExcludeSecurityDevice
- TPM12|Device|False|Added in Windows 10, version 1703
- True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
- False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
+|EnablePinRecovery|Device or use|False|- Added in Windows 10, version 1703
- True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
- False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
### Biometrics
|Policy|Scope|Default|Options|
|--- |--- |--- |--- |
-|UseBiometrics|Device |False|
- False: Only a PIN can be used as a gesture for domain sign-in.|
+|- FacialFeaturesUser
- EnhancedAntiSpoofing|Device|Not configured|- Not configured: users can choose whether to turn on enhanced anti-spoofing.
- True: Enhanced anti-spoofing is required on devices which support it.
- False: Users can't turn on enhanced anti-spoofing.|
### PINComplexity
|Policy|Scope|Default|Options|
|--- |--- |--- |--- |
-|Digits |Device or user|1 |
- 1: At least one digit is required.
- 2: Digits aren't allowed.|
+|Lowercase letters |Device or user|2|- 0: Lowercase letters are allowed.
- 1: At least one lowercase letter is required.
- 2: Lowercase letters aren't allowed.|
+|Special characters|Device or user|2|- 0: Special characters are allowed.
- 1: At least one special character is required.
- 2: Special characters aren't allowed.|
+|Uppercase letters|Device or user|2|- 0: Uppercase letters are allowed.
- 1: At least one uppercase letter is required.
- 2: Uppercase letters aren't allowed.|
+|Maximum PIN length |Device or user|127 |- Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
+|Minimum PIN length|Device or user|6|- Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
+|Expiration |Device or user|0|- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
+|History|Device or user|0|- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
### Remote
@@ -92,42 +92,15 @@ The following table lists the MDM policy settings that you can configure for Win
|UseRemotePassport|Device or user|False|Not currently supported.|
>[!NOTE]
-> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
+> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
## Policy conflicts from multiple policy sources
-Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
+Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared.
-Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy.
+> [!IMPORTANT]
+> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.
-Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source.
+## Policy precedence
-All PIN complexity policies are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis.
-
->[!NOTE]
-> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
->
->Examples
->
->The following are configured using computer Group Policy:
->
->- Use Windows Hello for Business - Enabled
->- User certificate for on-premises authentication - Enabled
->
->The following are configured using device MDM Policy:
->
->- UsePassportForWork - Disabled
->- UseCertificateForOnPremAuth - Disabled
->- MinimumPINLength - 8
->- Digits - 1
->- LowercaseLetters - 1
->- SpecialCharacters - 1
->
->Enforced policy set:
->
->- Use Windows Hello for Business - Enabled
->- Use certificate for on-premises authentication - Enabled
->- MinimumPINLength - 8
->- Digits - 1
->- LowercaseLetters - 1
->- SpecialCharacters - 1
\ No newline at end of file
+Windows Hello for Business *user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 0ce80daac5..8375e0ebd3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -88,7 +88,7 @@ The key trust type does not require issuing authentication certificates to end u
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
#### Device registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 4ba5142f01..24b362c125 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-ms.date: 03/09/2023
+ms.date: 09/07/2023
ms.topic: get-started
---
# Windows Hello for Business Videos
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png
new file mode 100644
index 0000000000..06a13b6f1a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
new file mode 100644
index 0000000000..dd8c09b2dd
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
@@ -0,0 +1,11 @@
+
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png
new file mode 100644
index 0000000000..ccfade47d9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png
new file mode 100644
index 0000000000..abb9b6456d
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png
new file mode 100644
index 0000000000..8913baa8ce
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png
new file mode 100644
index 0000000000..b0d03a6299
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif
index 2ef07cd63c..d8aba4d740 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif differ
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index 86a2aa8e8d..e0d3b1306e 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -91,7 +91,7 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
-Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md).
## Learn more
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 690c5f984c..c3a0d37737 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -13,7 +13,7 @@ This article describes Windows' password-less strategy and how Windows Hello for
Over the past few years, Microsoft has continued their commitment to enabling a world without passwords.
-:::image type="content" source="images/passwordless/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
+:::image type="content" source="images/passwordless-strategy/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
### 1. Develop a password replacement offering
@@ -224,17 +224,17 @@ Windows provides two ways to prevent your users from using passwords. You can us
You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
-:::image type="content" source="images/passwordless/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
**Windows Server 2016 and earlier**
The policy name for these operating systems is **Interactive logon: Require smart card**.
-:::image type="content" source="images/passwordless/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
**Windows 10, version 1703 or later using Remote Server Administrator Tools**
The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-:::image type="content" source="images/passwordless/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
+:::image type="content" source="images/passwordless-strategy/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
@@ -242,11 +242,11 @@ When you enable this security policy setting, Windows prevents users from signin
You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
-:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
-:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
+:::image type="content" source="images/passwordless-strategy/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
@@ -296,7 +296,7 @@ The account options on a user account include the option **Smart card is require
The following image shows the SCRIL setting for a user in Active Directory Users and Computers:
-:::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
+:::image type="content" source="images/passwordless-strategy/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because:
@@ -307,7 +307,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect
The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012:
-:::image type="content" source="images/passwordless/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
+:::image type="content" source="images/passwordless-strategy/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
> [!NOTE]
> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account to generate a new random 128 bit password. Use the following process to toggle this configuration:
@@ -321,7 +321,7 @@ The following image shows the SCRIL setting for a user in Active Directory Admin
The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:
-:::image type="content" source="images/passwordless/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
+:::image type="content" source="images/passwordless-strategy/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
> [!TIP]
> Windows Hello for Business was formerly known as Microsoft Passport.
@@ -332,8 +332,7 @@ Domains configured for Windows Server 2016 or later domain functional level can
In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages.
-:::image type="content" source="images/passwordless/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
+:::image type="content" source="images/passwordless-strategy/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
> [!NOTE]
> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
-
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index ad2fc7674a..cc9f23c50f 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -4,8 +4,6 @@ items:
- name: Concepts
expanded: true
items:
- - name: Passwordless strategy
- href: passwordless-strategy.md
- name: Why a PIN is better than a password
href: hello-why-pin-is-better-than-password.md
- name: Windows Hello biometrics in the enterprise
@@ -112,6 +110,8 @@ items:
items:
- name: PIN reset
href: hello-feature-pin-reset.md
+ - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
+ href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
- name: Dual enrollment
href: hello-feature-dual-enrollment.md
- name: Dynamic Lock
diff --git a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png b/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png
deleted file mode 100644
index f7767ac5f0..0000000000
Binary files a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard-gp.png b/windows/security/identity-protection/images/remote-credential-guard-gp.png
deleted file mode 100644
index f7db3ee411..0000000000
Binary files a/windows/security/identity-protection/images/remote-credential-guard-gp.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard.gif b/windows/security/identity-protection/images/remote-credential-guard.gif
new file mode 100644
index 0000000000..effe8a4bc2
Binary files /dev/null and b/windows/security/identity-protection/images/remote-credential-guard.gif differ
diff --git a/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png b/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png
deleted file mode 100644
index 56021d820e..0000000000
Binary files a/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png and /dev/null differ
diff --git a/windows/security/identity-protection/passkeys/images/delete-passkey.png b/windows/security/identity-protection/passkeys/images/delete-passkey.png
new file mode 100644
index 0000000000..1363d8db62
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/delete-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-save-qr.png b/windows/security/identity-protection/passkeys/images/device-save-qr.png
new file mode 100644
index 0000000000..e551a1e528
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-save-qr.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-save.png b/windows/security/identity-protection/passkeys/images/device-save.png
new file mode 100644
index 0000000000..240b3a9695
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-use.png b/windows/security/identity-protection/passkeys/images/device-use.png
new file mode 100644
index 0000000000..5aa3daea3d
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-save-confirm.png b/windows/security/identity-protection/passkeys/images/hello-save-confirm.png
new file mode 100644
index 0000000000..b9fdda9002
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-save-confirm.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-save.png b/windows/security/identity-protection/passkeys/images/hello-save.png
new file mode 100644
index 0000000000..785a45596b
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-use-confirm.png b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png
new file mode 100644
index 0000000000..4139c708c3
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-use.png b/windows/security/identity-protection/passkeys/images/hello-use.png
new file mode 100644
index 0000000000..df46054877
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/laptop.svg b/windows/security/identity-protection/passkeys/images/laptop.svg
new file mode 100644
index 0000000000..2440c97fd5
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/laptop.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-connect.png b/windows/security/identity-protection/passkeys/images/linked-device-connect.png
new file mode 100644
index 0000000000..34cb085968
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-connect.png differ
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-save.png b/windows/security/identity-protection/passkeys/images/linked-device-save.png
new file mode 100644
index 0000000000..48bd40f658
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-use.png b/windows/security/identity-protection/passkeys/images/linked-device-use.png
new file mode 100644
index 0000000000..5aeacdae7a
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/phone.svg b/windows/security/identity-protection/passkeys/images/phone.svg
new file mode 100644
index 0000000000..acb1dce81f
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/phone.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/qr-code.svg b/windows/security/identity-protection/passkeys/images/qr-code.svg
new file mode 100644
index 0000000000..d84c521351
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/qr-code.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/save-passkey.png b/windows/security/identity-protection/passkeys/images/save-passkey.png
new file mode 100644
index 0000000000..9dd3799a14
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/save-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-save.png b/windows/security/identity-protection/passkeys/images/security-key-save.png
new file mode 100644
index 0000000000..a17554e17c
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-setup.png b/windows/security/identity-protection/passkeys/images/security-key-setup.png
new file mode 100644
index 0000000000..192d63cc74
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-setup.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-use.png b/windows/security/identity-protection/passkeys/images/security-key-use.png
new file mode 100644
index 0000000000..1513aa359e
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/usb.svg b/windows/security/identity-protection/passkeys/images/usb.svg
new file mode 100644
index 0000000000..18027400c1
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/usb.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/use-passkey.png b/windows/security/identity-protection/passkeys/images/use-passkey.png
new file mode 100644
index 0000000000..1ff07346ea
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/use-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/website.png b/windows/security/identity-protection/passkeys/images/website.png
new file mode 100644
index 0000000000..d344d8dbde
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/website.png differ
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
new file mode 100644
index 0000000000..40d33d3ed3
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -0,0 +1,329 @@
+---
+title: Support for passkeys in Windows
+description: Learn about passkeys and how to use them on Windows devices.
+ms.collection:
+- highpri
+- tier1
+ms.topic: article
+ms.date: 09/27/2023
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+---
+
+# Support for passkeys in Windows
+
+Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient.
+
+You can use passkeys with any applications or websites that support them, to create and sign in with Windows Hello. Once a passkey is created and stored with Windows Hello, you can use your device's biometrics or PIN to sign in. Alternatively, you can use a companion device (phone or tablet) to sign in.
+
+> [!NOTE]
+> Starting in Windows 11, version 22H2 with [KB5030310][KB-1], Windows provides a native experience for passkey management. However, passkeys can be used in all supported versions of Windows clients.
+
+This article describes how to create and use passkeys on Windows devices.
+
+## How passkeys work
+
+Microsoft has long been a founding member of the FIDO Alliance and has helped to define and use passkeys natively within a platform authenticator like Windows Hello. Passkeys utilize the FIDO industry security standard, which is adopted by all major platforms. Leading technology companies like Microsoft are backing passkeys as part of the FIDO Alliance, and numerous websites and apps are integrating support for passkeys.
+
+The FIDO protocols rely on standard public/private key cryptography techniques to offer more secure authentication. When a user registers with an online service, their client device generates a new key pair. The private key is stored securely on the user's device, while the public key is registered with the service. To authenticate, the client device must prove that it possesses the private key by signing a challenge. The private keys can only be used after they're unlocked by the user using the Windows Hello unlock factor (biometrics or PIN).
+
+FIDO protocols prioritize user privacy, as they're designed to prevent online services from sharing information or tracking users across different services. Additionally, any biometric information used in the authentication process remains on the user's device and isn't transmitted across the network or to the service.
+
+### Passkeys compared to passwords
+
+Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker may try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
+
+[!INCLUDE [passkey](../../../../includes/licensing/passkeys.md)]
+
+## User experiences
+
+### Create a passkey
+
+Follow these steps to create a passkey from a Windows device:
+
+:::row:::
+ :::column span="4":::
+
+ 1. Open a website or app that supports passkeys
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+
+ 2. Create a passkey from your account settings
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ 3. Choose where to save the passkey. By default, Windows offers to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+- **This Windows device**: the passkey is saved locally on your Windows device, and protected by Windows Hello (biometrics and PIN)
+- **iPhone, iPad or Android device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
+- **Linked device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires the linked device to be in proximity of the Windows device, and it's only supported for Android devices
+- **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN)
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="images/save-passkey.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ 4. Select **Next**
+ :::column-end:::
+:::row-end:::
+
+Pick one of the following options to learn how to save a passkey, based on where you want to store it.
+
+#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+
+:::row:::
+ :::column span="3":::
+
+ 5. Select a Windows Hello verification method and proceed with the verification, then select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/hello-save.png" alt-text="Screenshot showing the Windows Hello face verification method." lightbox="images/hello-save.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 6. The passkey is saved to your Windows device. To confirm select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/hello-save-confirm.png" alt-text="Screenshot confirming that the passkey is saved to the Windows device" lightbox="images/hello-save-confirm.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **New phone or tablet**](#tab/mobile)
+
+:::row:::
+ :::column span="3":::
+
+ 5. Scan the QR code with your phone or tablet. Wait for the connection to the device to be established and follow the instructions to save the passkey
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/device-save-qr.png" alt-text="Screenshot showing the QR code asking the user to scan on the device." lightbox="images/device-save-qr.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 6. Once the passkey is saved to your phone or tablet, select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/device-save.png" alt-text="Screenshot confirming that the passkey is saved to the device." lightbox="images/device-save.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+
+:::row:::
+ :::column span="3":::
+
+ 5. Once the connection to the linked device is established, follow the instructions on the device to save the passkey
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/linked-device-connect.png" alt-text="Screenshot showing the passkey save dialog connecting to a linked device." lightbox="images/linked-device-connect.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 6. Once the passkey is saved to your linked device, select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/linked-device-save.png" alt-text="Screenshot confirming that the passkey is saved to the linked device." lightbox="images/linked-device-save.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+
+:::row:::
+ :::column span="3":::
+
+ 5. Select **OK** to confirm that you want to set up a security key, and unlock the security key using the key's unlock mechanism
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/security-key-setup.png" alt-text="Screenshot showing a prompt to use a security key to store the passkey." lightbox="images/security-key-setup.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 6. Once the passkey is saved to the security key, select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/security-key-save.png" alt-text="Screenshot confirming that the passkey is saved to the security key." lightbox="images/security-key-save.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+---
+
+### Use a passkey
+
+Follow these steps to use a passkey:
+
+:::row:::
+ :::column span="3":::
+ 1. Open a website or app that supports passkeys
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 2. Select **Sign in with a passkey**, or a similar option
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="images/website.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 3. If a passkey is stored locally and protected by Windows Hello, you're prompted to use Windows Hello to sign in. If you select the option **Use another device**, you can choose one of the following options:
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+- **This Windows device**: use this option to use a passkey that is stored locally on your Windows device, and protected by Windows Hello
+- **iPhone, iPad or Android device**: use this option if you want to sign in with a passkey stored on a phone or tablet. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
+- **Linked device**: use this option if you want to sign in with a passkey stored on a device that is in proximity of the Windows device. This option is only supported for Android devices
+- **Security key**: use this option if you want to sign in with a passkey stored on a FIDO2 security key
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="images/use-passkey.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+Pick one of the following options to learn how to use a passkey, based on where you saved it.
+
+#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+
+:::row:::
+ :::column span="3":::
+
+ 4. Select a Windows Hello unlock option
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/hello-use.png" alt-text="Screenshot showing the Windows Hello prompt for a verification method." lightbox="images/hello-use.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 5. Select **OK** to continue signing in
+
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **Phone or tablet**](#tab/mobile)
+
+:::row:::
+ :::column span="3":::
+
+ 4. Scan the QR code with your phone or tablet where you saved the passkey. Once the connection to the device is established, follow the instructions to use the passkey
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/device-use.png" alt-text="Screenshot showing the QR code to scan from your phone or tablet." lightbox="images/device-use.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+
+ 5. You're signed in to the website or app
+
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+
+:::row:::
+ :::column span="3":::
+
+ 4. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/linked-device-use.png" alt-text="Screenshot showing that the linked device is connected to Windows." lightbox="images/linked-device-use.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 5. You're signed in to the website or app
+
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+
+:::row:::
+ :::column span="3":::
+
+ 4. Unlock the security key using the key's unlock mechanism
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/security-key-use.png" alt-text="Screenshot showing a prompt asking the user to unlock the security key." lightbox="images/security-key-use.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 5. You're signed in to the website or app
+
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+
+---
+
+### Manage passkeys
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Settings app to view and manage passkeys saved for apps or websites. Go to **Settings > Accounts > Passkeys**, or use the following shortcut:
+
+> [!div class="nextstepaction"]
+>
+> [Manage passkeys][MSS-1]
+
+- A list of saved passkeys is displayed and you can filter them by name
+- To delete a passkey, select **... > Delete passkey** next to the passkey name
+
+:::image type="content" source="images/delete-passkey.png" alt-text="Screenshot of the Settings app showing the delete option for a passkey." lightbox="images/delete-passkey.png" border="false":::
+
+> [!NOTE]
+> Some passkeys for *login.microsoft.com* can't be deleted, as they're used with Microsoft Entra ID and/or Microsoft Account for signing in to the device and Microsoft services.
+
+## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
+
+
+
+[FHUB]: feedback-hub:?tabid=2&newFeedback=true
+[KB-1]: https://support.microsoft.com/kb/5030310
+[MSS-1]: ms-settings:savedpasskeys
diff --git a/windows/security/identity-protection/passwordless-experience/images/edge-on.png b/windows/security/identity-protection/passwordless-experience/images/edge-on.png
new file mode 100644
index 0000000000..06a13b6f1a
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/edge-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg b/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg
new file mode 100644
index 0000000000..dd8c09b2dd
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg
@@ -0,0 +1,11 @@
+
diff --git a/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png b/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png
new file mode 100644
index 0000000000..ccfade47d9
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png b/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png
new file mode 100644
index 0000000000..abb9b6456d
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/uac-off.png b/windows/security/identity-protection/passwordless-experience/images/uac-off.png
new file mode 100644
index 0000000000..8913baa8ce
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/uac-off.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/uac-on.png b/windows/security/identity-protection/passwordless-experience/images/uac-on.png
new file mode 100644
index 0000000000..b0d03a6299
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/uac-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md
new file mode 100644
index 0000000000..d42f5fb84f
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-experience/index.md
@@ -0,0 +1,143 @@
+---
+title: Windows passwordless experience
+description: Learn how Windows passwordless experience enables your organization to move away from passwords.
+ms.collection:
+ - highpri
+ - tier1
+ms.date: 09/27/2023
+ms.topic: how-to
+appliesto:
+ - ✅ Windows 11
+---
+
+# Windows passwordless experience
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], *Windows passwordless experience* is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.\
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
+
+With Windows passwordless experience, users who sign in with Windows Hello or a FIDO2 security key:
+
+- Can't use the password credential provider on the Windows lock screen
+- Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
+- Don't have the option *Accounts > Change password* in the Settings app
+
+ >[!NOTE]
+ >Users can reset their password using CTRL+ALT+DEL > **Manage your account**
+
+Windows passwordless experience doesn't affect the initial sign-in experience and local accounts. It only applies to subsequent sign-ins for Microsoft Entra ID accounts. It also doesn't prevent a user from signing in with a password when using the *Other user* option in the lock screen.\
+The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows passwordless experience isn't about preventing users from using passwords, rather to guide and educate them to not use passwords.
+
+This article explains how to enable Windows passwordless experience and describes the user experiences.
+
+>[!TIP]
+> Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see [Web sign-in for Windows devices](../web-sign-in/index.md).
+
+## System requirements
+
+Windows passwordless experience has the following requirements:
+
+- Windows 11, version 22H2 with [KB5030310][KB-1] or later
+- Microsoft Entra joined
+- Windows Hello for Business credentials enrolled for the user, or a FIDO2 security key
+- MDM-managed: Microsoft Intune or other MDM solution
+
+>[!NOTE]
+>Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
+
+[!INCLUDE [windows-passwordless-experience](../../../../includes/licensing/windows-passwordless-experience.md)]
+
+## Enable Windows passwordless experience with Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Authentication** | Enable Passwordless Experience | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-2] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience`
- **Data type:** int
- **Value:** `1`|
+
+## User experiences
+
+### Lock screen experience
+
+:::row:::
+ :::column span="3":::
+ **Passwordless experience turned off**: users can sign in using a password, as indicated by the presence of the password credential provider :::image type="icon" source="images/key-credential-provider.svg" border="false"::: in the Windows lock screen.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/lock-screen-off.png" lightbox="images/lock-screen-off.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers.":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ **Passwordless experience turned on**: the password credential provider :::image type="icon" source="images/key-credential-provider.svg" border="false"::: is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the *Other user* option to sign in with a password.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/lock-screen-on.png" lightbox="images/lock-screen-on.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint and PIN credential providers only. The password credential provider is missing.":::
+ :::column-end:::
+:::row-end:::
+
+### In-session authentication experiences
+
+When Windows passwordless experience is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include:
+
+- Password Manager in a web browser
+- Connecting to file shares or intranet sites
+- User Account Control (UAC) elevation, except if a local user account is used for elevation
+
+>[!NOTE]
+> RDP sign in defaults to the credential provider used during sign-in. However, a user can select the option *Use a different account* to sign in with a password.
+>
+> *Run as different user* is not impacted by Windows passwordless experience.
+
+Example of UAC elevation experience:
+
+:::row:::
+ :::column span="3":::
+ **Passwordless experience turned off**: UAC elevation allows the user to authenticate using a password.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/uac-off.png" lightbox="images/uac-off.png" alt-text="Screenshot of the UAC prompt showing username and password fields.":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ **Passwordless experience turned on**: UAC elevation doesn't allow the user to use the password credential provider for the currently logged on user. The user can authenticate using Windows Hello, a FIDO2 security key or a local user account, if available.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/uac-on.png" lightbox="images/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only.":::
+ :::column-end:::
+:::row-end:::
+
+## Recommendations
+
+Here's a list of recommendations to consider before enabling Windows passwordless experience:
+
+- If Windows Hello for Business is enabled, configure the [PIN reset](../hello-for-business/hello-feature-pin-reset.md) feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with [KB5030310][KB-1]
+- Don't configure the security policy *Interactive logon: Don't display last signed-in*, as it prevents Windows passwordless experience from working
+- Don't disable the password credential provider using the *Exclude credential providers* policy. The key differences between the two policies are:
+ - The Exclude credential providers policy disables passwords for *all accounts*, including local accounts. Windows passwordless experience only applies to Microsoft Entra ID accounts that sign in with Windows Hello or a FIDO2 security key. It also excludes *Other User* from the policy, so users have a backup sign in option
+ - Exclude credential providers policy prevents the use of passwords for RDP and *Run as* authentication scenarios
+- To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the [Windows Local Administrator Password Solution (LAPS)][SERV-1]
+
+## Known issues
+
+There's a known issue affecting the in-session authentication experience when using FIDO2 security keys, where security keys aren't always an available option. The product group is aware of this behavior and plans to improve this in the future.
+
+### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for Windows passwordless experience, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-2]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[SERV-1]: /windows-server/identity/laps/laps-overview
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 41748c9408..7351dd93ae 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -1,11 +1,11 @@
---
-title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
-description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
+title: Remote Credential Guard
+description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
ms.collection:
- highpri
-- tier2
-ms.topic: article
-ms.date: 01/12/2018
+- tier1
+ms.topic: how-to
+ms.date: 09/06/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -13,96 +13,112 @@ appliesto:
- ✅ Windows Server 2019
- ✅ Windows Server 2016
---
-# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
-Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
+# Remote Credential Guard
-Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
+## Overview
+
+Remote Credential Guard helps protecting credentials over a Remote Desktop (RDP) connection by redirecting Kerberos requests back to the device that's requesting the connection. If the target device is compromised, the credentials aren't exposed because both credential and credential derivatives are never passed over the network to the target device. Remote Credential Guard also provides single sign-on experiences for Remote Desktop sessions.
+
+This article describes how to configure and use Remote Credential Guard.
> [!IMPORTANT]
> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article.
-## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
+## Compare Remote Credential Guard with other connection options
-The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works:
+Using a Remote Desktop session without Remote Credential Guard has the following security implications:
-
+- Credentials are sent to and stored on the remote host
+- Credentials aren't protected from attackers on the remote host
+- Attacker can use credentials after disconnection
-The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
+The security benefits of Remote Credential Guard include:
-
+- Credentials aren't sent to the remote host
+- During the remote session you can connect to other systems using SSO
+- An attacker can act on behalf of the user only when the session is ongoing
-As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
+The security benefits of [Restricted Admin mode][TECH-1] include:
+
+- Credentials aren't sent to the remote host
+- The Remote Desktop session connects to other resources as the remote host's identity
+- An attacker can't act on behalf of the user and any attack is local to the server
Use the following table to compare different Remote Desktop connection security options:
-| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
+| Feature | Remote Desktop | Remote Credential Guard | Restricted Admin mode |
|--|--|--|--|
-| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
-| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
-| **Helps prevent** | N/A |
|
|
-| **Credentials supported from the remote desktop client device** |
|
|
-| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
-| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
-| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
-| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
-
-For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
-and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
-
-## Remote Desktop connections and helpdesk support scenarios
-
-For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
-
-Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
-
-To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/download/details.aspx?id=46899).
-
-For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx).
-
-[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
+| Single sign-on (SSO) to other systems as signed in user | ✅ | ✅ | ❌ |
+| Multi-hop RDP | ✅ | ✅ | ❌ |
+| Prevent use of user's identity during connection | ❌ | ❌ | ✅ |
+| Prevent use of credentials after disconnection | ❌ | ✅ | ✅ |
+| Prevent Pass-the-Hash (PtH) | ❌ | ✅ | ✅ |
+| Supported authentication | Any negotiable protocol | Kerberos only | Any negotiable protocol |
+| Credentials supported from the remote desktop client device | - Signed on credentials
- Supplied credentials
- Saved credentials | - Signed on credentials
- Supplied credentials
| - Signed on credentials
- Supplied credentials
- Saved credentials |
+| RDP access granted with | Membership of **Remote Desktop Users** group on remote host | Membership of **Remote Desktop Users** group on remote host | Membership of **Administrators** group on remote host |
## Remote Credential Guard requirements
-To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements:
+To use Remote Credential Guard, the remote host and the client must meet the following requirements.
-The Remote Desktop client device:
+The remote host:
-- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine
-- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host
-- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard
-- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
+- Must allow the user to access via Remote Desktop connections
+- Must allow delegation of nonexportable credentials to the client device
-The Remote Desktop remote host:
+The client device:
-- Must be running at least Windows 10, version 1607 or Windows Server 2016.
-- Must allow Restricted Admin connections.
-- Must allow the client's domain user to access Remote Desktop connections.
-- Must allow delegation of non-exportable credentials.
+- Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard
+- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
-There are no hardware requirements for Windows Defender Remote Credential Guard.
+[!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)]
-> [!NOTE]
-> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
->
-> GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
+## Enable delegation of nonexportable credentials on the remote hosts
-- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
-- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
-- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
+This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\
+If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
-## Enable Windows Defender Remote Credential Guard
+To enable delegation of nonexportable credentials on the remote hosts, you can use:
-You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
+- Microsoft Intune/MDM
+- Group policy
+- Registry
-1. Open Registry Editor on the remote host
-1. Enable Restricted Admin and Windows Defender Remote Credential Guard:
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
- - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`
- - Add a new DWORD value named **DisableRestrictedAdmin**
- - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0
+#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
-1. Close Registry Editor
+[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Administrative Templates > System > Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials`
- **Data type:** string
- **Value:** `
- **Key name:** `DisableRestrictedAdmin`
- **Type:** `REG_DWORD`
- **Value:** `0`|
You can add this by running the following command from an elevated command prompt:
@@ -110,44 +126,103 @@ You can add this by running the following command from an elevated command promp
reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
-## Using Windows Defender Remote Credential Guard
+---
-Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection.
+## Configure delegation of credentials on the clients
-### Turn on Windows Defender Remote Credential Guard by using Group Policy
+To enable Remote Credential Guard on the clients, you can configure a policy that prevents the delegation of credentials to the remote hosts.
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**
-1. Double-click **Restrict delegation of credentials to remote servers**
- 
-1. Under **Use the following restricted mode**:
- - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used
+> [!TIP]
+> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
+> ```cmd
+> mstsc.exe /remoteGuard
+> ```
- > [!NOTE]
- > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
+The policy can have different values, depending on the level of security you want to enforce:
- - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic.
- - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
-
-1. Click **OK**
-1. Close the Group Policy Management Console
-1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied
-
-### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
-
-If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
-
-```cmd
-mstsc.exe /remoteGuard
-```
+- **Disabled**: *Restricted Admin* and *Remote Credential Guard* mode aren't enforced and the Remote Desktop Client can delegate credentials to remote devices
+- **Require Restricted Admin**: the Remote Desktop Client must use Restricted Admin to connect to remote hosts
+- **Require Remote Credential Guard**: Remote Desktop Client must use Remote Credential Guard to connect to remote hosts
+- **Restrict credential delegation**: Remote Desktop Client must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Remote Credential Guard is preferred, but it uses Restricted Admin mode (if supported) when Remote Credential Guard can't be used
> [!NOTE]
-> The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a member of the Remote Desktop Users local group on the remote computer.
+> When *Restrict Credential Delegation* is enabled, the `/restrictedAdmin` switch will be ignored. Windows enforces the policy configuration instead and uses Remote Credential Guard.
-## Considerations when using Windows Defender Remote Credential Guard
+To configure your clients, you can use:
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
-- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory
-- Remote Desktop Credential Guard only works with the RDP protocol
+- Microsoft Intune/MDM
+- Group policy
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Administrative Templates > System > Credentials Delegation** | Restrict delegation of credentials to remote servers | Select **Enabled** and in the dropdown, select one of the options:
- **Restrict Credential Delegation**
- **Require Remote Credential Guard**|
+
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-2].
+
+| Setting |
+|--|
+|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`
- **Data type:** string
- **Value:** `
Possible values for `RestrictedRemoteAdministrationDrop` are:
- `0`: Disabled
- `1`: Require Restricted Admin
- `2`: Require Remote Credential Guard
- `3`: Restrict credential delegation |
+
+#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Restrict delegation of credentials to remote servers| **Enabled** and in the dropdown, select one of the options:
- **Restrict Credential Delegation**
- **Require Remote Credential Guard**|
+
+[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
+
+#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+Not documented.
+
+---
+
+## Use Remote Credential Guard
+
+Once a client receives the policy, you can connect to the remote host using Remote Credential Guard by opening the Remote Desktop Client (`mstsc.exe`). The user is automatically authenticated to the remote host:
+
+:::image type="content" source="images/remote-credential-guard.gif" alt-text="Animation showing a client connecting to a remote server using Remote Credential Guard with SSO.":::
+
+> [!NOTE]
+> The user must be authorized to connect to the remote server using the Remote Desktop protocol, for example by being a member of the Remote Desktop Users local group on the remote host.
+
+## Remote Desktop connections and helpdesk support scenarios
+
+For helpdesk support scenarios in which personnel require administrative access via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user's behalf. The attacker can access any of the user's resources for a limited time after the session disconnects.
+
+We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the `/RestrictedAdmin` switch. This helps to ensure that credentials and other user resources aren't exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2][PTH-1].
+
+To further harden security, we also recommend that you implement Windows Local Administrator Password Solution (LAPS), which automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers.
+
+For more information about LAPS, see [What is Windows LAPS][LEARN-1].
+
+## Additional considerations
+
+Here are some additional considerations for Remote Credential Guard:
+
+- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Azure Active Directory (Azure AD)
+- Remote Credential Guard can be used from an Azure AD joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
+- Remote Credential Guard only works with the RDP protocol
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
- The server and client must authenticate using Kerberos
+- Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-credentialsdelegation
+[CSP-2]: /windows/client-management/mdm/policy-csp-admx-credssp
+[INT-3]: /mem/intune/configuration/settings-catalog
+[LEARN-1]: /windows-server/identity/laps/laps-overview
+[TECH-1]: https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx
+[PTH-1]: https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index d8e6726e39..5762bfaf81 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -3,16 +3,18 @@ items:
href: index.md
- name: Passwordless sign-in
items:
- - name: Windows Hello for Business 🔗
- href: hello-for-business/index.md
+ - name: Passwordless strategy
+ href: hello-for-business/passwordless-strategy.md
+ - name: Windows Hello for Business
+ href: hello-for-business/toc.yml
- name: Windows presence sensing
href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
- - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
- href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
- - name: FIDO 2 security key 🔗
+ - name: FIDO2 security key 🔗
href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
- - name: Federated sign-in 🔗
- href: /education/windows/federated-sign-in
+ - name: Windows passwordless experience
+ href: passwordless-experience/index.md
+ - name: Passkeys
+ href: passkeys/index.md
- name: Smart Cards
href: smart-cards/toc.yml
- name: Virtual smart cards
@@ -20,6 +22,10 @@ items:
displayName: VSC
- name: Enterprise Certificate Pinning
href: enterprise-certificate-pinning.md
+ - name: Web sign-in
+ href: web-sign-in/index.md
+ - name: Federated sign-in 🔗
+ href: /education/windows/federated-sign-in
- name: Advanced credential protection
items:
- name: Windows LAPS (Local Administrator Password Solution) 🔗
@@ -33,11 +39,11 @@ items:
- name: Access Control
href: access-control/access-control.md
displayName: ACL/SACL
- - name: Windows Defender Credential Guard
+ - name: Credential Guard
href: credential-guard/toc.yml
- - name: Windows Defender Remote Credential Guard
+ - name: Remote Credential Guard
href: remote-credential-guard.md
- - name: LSA Protection
+ - name: LSA Protection 🔗
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- name: Local Accounts
href: access-control/local-accounts.md
diff --git a/windows/security/identity-protection/web-sign-in/images/lock-screen.png b/windows/security/identity-protection/web-sign-in/images/lock-screen.png
new file mode 100644
index 0000000000..dfe0a0687e
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/lock-screen.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif
new file mode 100644
index 0000000000..499f39dbb5
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png
new file mode 100644
index 0000000000..be213d4500
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg b/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg
new file mode 100644
index 0000000000..1afb38e115
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg
@@ -0,0 +1,4 @@
+
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif
new file mode 100644
index 0000000000..403c7fb609
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png
new file mode 100644
index 0000000000..f22395fbd7
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif
new file mode 100644
index 0000000000..9ae9f3c92f
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png
new file mode 100644
index 0000000000..e3b341d814
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png
new file mode 100644
index 0000000000..01d91be145
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif
new file mode 100644
index 0000000000..b677b87480
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png
new file mode 100644
index 0000000000..18c20dd4fd
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png differ
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
new file mode 100644
index 0000000000..8ec2eb65f2
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -0,0 +1,171 @@
+---
+title: Web sign-in for Windows
+description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
+ms.date: 09/27/2023
+ms.topic: how-to
+appliesto:
+ - ✅ Windows 11
+ms.collection:
+ - highpri
+ - tier1
+---
+
+# Web sign-in for Windows
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities.
+This feature is called *Web sign-in*.
+
+Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded.\
+For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity.
+
+This article describes how to configure Web sign-in and the supported key scenarios.
+
+## System requirements
+
+To use web sign-in, the clients must meet the following prerequisites:
+
+- Windows 11, version 22H2 with [5030310][KB-1], or later
+- Must be Microsoft Entra joined
+- Must have Internet connectivity, as the authentication is done over the Internet
+
+[!INCLUDE [federated-sign-in](../../../../includes/licensing/web-sign-in.md)]
+
+## Configure web sign-in
+
+To use web sign-in, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Authentication | Enable Web Sign In | Enabled |
+| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a list of domains required for sign in, for example:
- `idp.example.com`
- `example.com` |
+| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, for example: `example.com` |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
+
+| OMA-URI | More information |
+|-|-|
+| `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`| [EnableWebSignIn](/windows/client-management/mdm/policy-csp-authentication#enablewebsignin) |
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`|[ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#configurewebsigninallowedurls)|
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`|[ConfigureWebcamAccessDomainNames](/windows/client-management/mdm/policy-csp-authentication#configurewebcamaccessdomainnames)|
+
+#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
+
+| Path | Setting name | Value |
+|--|--|--|
+| `Policies/Authentication` | `EnableWebSignIn` | Enabled |
+| `Policies/Authentication` | `ConfigureWebSignInAllowedUrls` | This setting is optional, and it contains a semicolon-separated list of domains required for sign in, for example: `idp.example.com;example.com` |
+| `Policies/Authentication` | `ConfigureWebCamAccessDomainNames` | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `example.com` |
+
+[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
+
+---
+
+## User experiences
+
+Once the devices are configured, a new sign-in experience becomes available, as indicated by the presence of the Web sign-in credential provider :::image type="icon" source="images/web-sign-in-credential-provider.svg" border="false"::: in the Windows lock screen.
+
+:::image type="content" source="images/lock-screen.png" border="false" lightbox="images/lock-screen.png" alt-text="Screenshot of the Windows lock screen showing the Web sign-in credential provider.":::
+
+Here's a list of key scenarios supported by Web sign-in, and a brief animation showing the user experience. Select the thumbnail to start the animation.
+
+### Passwordless sign-in
+:::row:::
+ :::column span="3":::
+ Users can sign in to Windows passwordless, even before enrolling in Windows Hello for Business. For example, by using the Microsoft Authenticator app as a sign-in method.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/web-sign-in-authenticator.png" border="false" lightbox="images/web-sign-in-authenticator.gif" alt-text="Animation of the Web sign-in experience with Microsoft Authenticator.":::
+ :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> When used in conjuction with *Windows Hello for Business passworless*, you can hide the password credential provider from the lock screen as well as in-session authentication scenarios. This enables a truly passwordless Windows experience.
+To learn more:
+- [Enable passwordless sign-in with Microsoft Authenticator][AAD-1]
+- [Passwordless authentication options for Microsoft Entra ID][AAD-2]
+- [Windows passwordless experience](../passwordless-experience/index.md)
+
+### Windows Hello for Business PIN reset
+
+:::row:::
+ :::column span="3":::
+ The Windows Hello PIN reset flow is seamless and more robust than in previous versions.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/web-sign-in-pin-reset.png" border="false" lightbox="images/web-sign-in-pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
+ :::column-end:::
+:::row-end:::
+
+For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
+
+### Temporary Access Pass (TAP)
+
+:::row:::
+ :::column span="3":::
+ A Temporary Access Pass (TAP) is a time-limited passcode granted by an administrator to a user. Users can sign in with a TAP using the Web sign-in credential provider. For example:
+
+ - to onboard Windows Hello for Business or a FIDO2 security key
+ - if lost or forgotten FIDO2 security key and unknown password
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/web-sign-in-tap.png" border="false" lightbox="images/web-sign-in-tap.gif" alt-text="Animation of the TAP sign in experience.":::
+ :::column-end:::
+:::row-end:::
+
+For more information, see [Use a Temporary Access Pass][AAD-3].
+
+### Sign in with a federated identity
+
+:::row:::
+ :::column span="3":::
+ If the Microsoft Entra ID tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/web-sign-in-federated-auth.png" border="false" lightbox="images/web-sign-in-federated-auth.gif" alt-text="Animation of the sign in experience with a federated user.":::
+ :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> To improve the user experience for federated identities:
+>
+> - Configure the *preferred Azure AD tenant name* feature, which allows users to select the domain name during the sign-in process. The users are then automatically redirected to the identity provider sign-in page.
+> - Enable Windows Hello for Business. Once the user signs in, the user can enroll in Windows Hello for Business and then use it to sign in to the device
+
+For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-1].
+
+## Important considerations
+
+Here's a list of important considerations to keep in mind when configuring or using Web sign-in:
+
+- Cached credentials aren't supported with Web sign-in. If the device is offline, the user can't use the Web sign-in credential provider to sign in
+- After sign out, the user isn't displayed in the user selection list
+- Once enabled, the Web sign-in credential provider is the default credential provider for new users signing in to the device. To change the default credential provider, you can use the [DefaultCredentialProvider][WIN-2] ADMX-backed policy
+- The user can exit the Web sign-in flow by pressing Ctrl+Alt+Delete to get back to the Windows lock screen
+
+### Known issues
+
+- If you attempt to sign in while the device is offline, you get the following message: *It doesn't look that you're connected to the Internet. Check your connection and try again*. Selecting the *Back to sign-in* option doesn't bring you back to the lock screen. As a workaround, you can press Ctrl+Alt+Delete to get back to the lock screen.
+
+### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for web sign-in, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+
+
+[AAD-1]: /azure/active-directory/authentication/howto-authentication-passwordless-phone
+[AAD-2]: /azure/active-directory/authentication/concept-authentication-passwordless
+[AAD-3]: /azure/active-directory/authentication/howto-authentication-temporary-access-pass
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[WIN-1]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
+[WIN-2]: /windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider
diff --git a/windows/security/images/icons/feedback.svg b/windows/security/images/icons/feedback.svg
new file mode 100644
index 0000000000..2ecd143695
--- /dev/null
+++ b/windows/security/images/icons/feedback.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/images/icons/key.svg b/windows/security/images/icons/key.svg
new file mode 100644
index 0000000000..c9df33c18f
--- /dev/null
+++ b/windows/security/images/icons/key.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
new file mode 100644
index 0000000000..dbbad7d780
--- /dev/null
+++ b/windows/security/images/icons/provisioning-package.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
index 34f9e6a785..8b6b510ef4 100644
--- a/windows/security/includes/sections/application.md
+++ b/windows/security/includes/sections/application.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -10,17 +10,17 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
| **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
-| **[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)** | |
| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.
Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
+| **[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)** | |
| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-| **[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.
Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
+| **[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.
Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
## Application isolation
| Feature name | Description |
|:---|:---|
-| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
-| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
| **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
index 07fc5b88b5..4e338bf4cd 100644
--- a/windows/security/includes/sections/cloud-services.md
+++ b/windows/security/includes/sections/cloud-services.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -9,10 +9,10 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
-| **[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)** | Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
+| **[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
| **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers.
With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
| **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.
IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.
To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. |
| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. |
| **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise.
The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors. |
-| **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
+| **[Windows Autopilot](/autopilot/)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
index 11a4f97b60..fa6c065293 100644
--- a/windows/security/includes/sections/hardware.md
+++ b/windows/security/includes/sections/hardware.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -20,7 +20,7 @@ ms.topic: include
| **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
| **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
-| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
## Secured-core PC
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
index 891ad65444..557e813ec5 100644
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -9,20 +9,23 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
-| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
+| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
+| **[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
| **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in.
Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more.
For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
-| **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
-| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)** | Windows passwordless experience is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
+| **[Passkeys](/windows/security/identity-protection/passkeys)** | Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign in challenges, making the authentication process faster, secure, and more convenient. |
+| **[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
## Advanced credential protection
| Feature name | Description |
|:---|:---|
-| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
+| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
+| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra ID-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
-| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
+| **[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
| **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
-| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
-| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
+| **[Credential Guard](/windows/security/identity-protection/credential-guard/)** | Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
+| **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-security.md b/windows/security/includes/sections/operating-system-security.md
index 3a748fac25..4a4ee4acf2 100644
--- a/windows/security/includes/sections/operating-system-security.md
+++ b/windows/security/includes/sections/operating-system-security.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -9,10 +9,11 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
+| **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
+| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
| **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
+| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.
Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
## Virus and threat protection
@@ -24,20 +25,21 @@ ms.topic: include
| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
## Network security
| Feature name | Description |
|:---|:---|
-| **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.
In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
-| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
-| **[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
-| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
+| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
+| **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.
SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
@@ -46,8 +48,8 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD. |
-| **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
-| **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
-| **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+| **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID. |
+| **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
+| **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
+| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
+| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
index 61eb75d6e8..7a85af0543 100644
--- a/windows/security/includes/sections/security-foundations.md
+++ b/windows/security/includes/sections/security-foundations.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -11,14 +11,14 @@ ms.topic: include
|:---|:---|
| **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
| **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. |
-| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quickly fix the issues before releasing the final Windows. |
+| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows. |
## Certification
| Feature name | Description |
|:---|:---|
-| **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
-| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
+| **[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
+| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
## Secure supply chain
@@ -26,4 +26,4 @@ ms.topic: include
|:---|:---|
| **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. |
| **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | Windows Defender Application Control (WDAC) enables customers to define policies for controlling what is allowed to run on their devices. WDAC policies can be remotely applied to devices using an MDM solution like Microsoft Intune.
To simplify WDAC enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing WDAC policies and apps.
Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets. |
-| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. |
+| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index fcb82babda..40983d837f 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -7,13 +7,14 @@ brand: windows
metadata:
ms.topic: hub-page
ms.prod: windows-client
+ ms.technology: itpro-security
ms.collection:
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 08/11/2023
+ ms.date: 09/18/2023
highlightedContent:
items:
@@ -72,14 +73,14 @@ productDirectory:
links:
- url: /windows/security/identity-protection/hello-for-business
text: Windows Hello for Business
- - url: /windows/security/identity-protection/credential-guard/credential-guard
- text: Windows Defender Credential Guard
- - url: /windows-server/identity/laps/laps-overview
- text: Windows LAPS (Local Administrator Password Solution)
+ - url: /windows/security/identity-protection/passwordless-experience
+ text: Windows passwordless experience
+ - url: /windows/security/identity-protection/web-sign-in
+ text: Web sign-in for Windows
+ - url: /windows/security/identity-protection/passkeys
+ text: Support for passkeys in Windows
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
text: Enhanced phishing protection with SmartScreen
- - url: /education/windows/federated-sign-in
- text: Federated sign-in (EDU)
- url: /windows/security/identity-protection
text: Learn more about identity protection >
diff --git a/windows/security/introduction.md b/windows/security/introduction.md
index a87668dc0e..69e2193bf2 100644
--- a/windows/security/introduction.md
+++ b/windows/security/introduction.md
@@ -1,7 +1,7 @@
---
title: Introduction to Windows security
description: System security book.
-ms.date: 08/01/2023
+ms.date: 09/01/2023
ms.topic: tutorial
ms.author: paoloma
content_well_notification:
@@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
1. When verified, give people and devices access to only necessary resources for the necessary amount of time
1. Use continuous analytics to drive threat detection and improve defenses
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
### Security, by default
@@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
### Secured identities
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
### Connecting to cloud services
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index a16db47b99..38961897cb 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,7 +1,7 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 08/11/2023
+ms.date: 09/25/2023
ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
@@ -13,9 +13,10 @@ Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft
If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways:
-- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
+- If users type or paste their work or school password on any browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and alert them to change their password.
- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
+- If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.
> [!NOTE]
> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint.
@@ -68,10 +69,11 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
| Setting | OMA-URI | Data type |
|-------------------------|---------------------------------------------------------------------------|-----------|
-| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
+| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer |
| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
+| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
---
@@ -80,7 +82,6 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
-
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
|Settings catalog element|Recommendation|
@@ -108,15 +109,19 @@ To better help you protect your organization, we recommend turning on and using
|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+
---
## Related articles
-- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [WebThreatDefense CSP][WIN-1]
- [Threat protection](index.md)
[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
+
[MEM-2]: /mem/intune/configuration/settings-catalog
+
+
diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
index 0e0bc1697c..0f426874c2 100644
--- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md
+++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
@@ -278,10 +278,6 @@ Certified against the Protection Profile for General Purpose Operating Systems.
### Windows Server 2003 Certificate Server
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
-- [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
-- [Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
-- [User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
-- [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
### Windows Rights Management Services
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index a53ae544d8..39d6b0489e 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -108,7 +108,7 @@ For info about setting security policies, see [Configure security policy setting
| [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. |
| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. |
| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. |
-| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
+| [Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.|
| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management, and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. |
| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. |
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 2e144448b8..2bd556b46f 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -11,7 +11,7 @@
href: windows-11-plan.md
- name: Prepare for Windows 11
href: windows-11-prepare.md
- - name: Windows 11 temporary enterprise feature control
+ - name: Windows 11 enterprise feature control
href: temporary-enterprise-feature-control.md
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index c0f93ba219..e13121f3d9 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
-description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
-ms.date: 08/17/2023
+description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
+ms.date: 09/01/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -36,7 +36,8 @@ The features in this article are no longer being actively developed, and might b
|Feature | Details and mitigation | Deprecation announced |
| ----------- | --------------------- | ---- |
-| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://www.alljoyn.org/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
+| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 |
+| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
@@ -50,7 +51,7 @@ The features in this article are no longer being actively developed, and might b
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
-| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is is no longer being developed. | September, 2019 |
+| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is no longer being developed. | September, 2019 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
PSR was removed in Windows 11.| 1909 |
@@ -61,7 +62,6 @@ The features in this article are no longer being actively developed, and might b
| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
-|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97). It provides the same screen snipping abilities plus other features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the "Screen snip" button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
|[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
|[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 |
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index b2c710d264..99cf0f87aa 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -208,14 +208,14 @@ Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joi
For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
-#### Windows Defender Credential Guard
+#### Credential Guard
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
> [!NOTE]
-> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
+> Credential Guard is available only to S mode devices or Enterprise and Education Editions.
For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 48b3e3b651..c07ad692ea 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -74,7 +74,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
### Virus and threat protection
-[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL's and IP addresses.
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
- [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
@@ -149,9 +149,9 @@ Windows Hello enhancements include:
### Credential protection
-#### Windows Defender Credential Guard
+#### Credential Guard
-[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
### Privacy controls
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index b20be1c0ab..65ebf38755 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -1,6 +1,6 @@
---
-title: Temporary enterprise feature control in Windows 11
-description: Learn about the Windows 11 features behind temporary enterprise feature control.
+title: Enterprise feature control in Windows 11
+description: Learn about the Windows 11 features behind temporary enterprise feature control and permanent feature control.
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.author: mstewart
@@ -8,7 +8,7 @@ author: mestew
manager: aaroncz
ms.localizationpriority: medium
ms.topic: reference
-ms.date: 05/19/2023
+ms.date: 09/26/2023
ms.collection:
- highpri
- tier2
@@ -16,21 +16,20 @@ appliesto:
- ✅ Windows 11, version 22H2 and later
---
-# Temporary enterprise feature control in Windows 11
+# Enterprise feature control in Windows 11
-New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features might be:
+
+- Temporarily turned off by default using [temporary enterprise feature control](#temporary-enterprise-feature-control)
+- Controlled by a policy that allows for [permanent enterprise feature control](#permanent-enterprise-feature-control)
+
+Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. For example, a feature might be turned off by default if it requires a change in user behavior or if it requires IT administrators to take action before the feature can be used.
+
+## Temporary enterprise feature control
Features behind temporary enterprise control are automatically disabled for devices that have their Windows updates managed by policies.
-## Windows 11 features behind temporary enterprise feature control
-
-The following features are behind temporary enterprise control in Windows 11:
-
-| Feature | KB article where the feature was introduced | Feature update that ends temporary control |
-|---|---|---|
-| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update |
-
-## Enable features behind temporary enterprise feature control
+### Enable features behind temporary enterprise feature control
Features that are behind temporary enterprise control will be enabled when one of the following conditions is met:
@@ -38,7 +37,7 @@ Features that are behind temporary enterprise control will be enabled when one o
- The device receives a policy that enables features behind temporary enterprise control
- When the policy is enabled, all features on the device behind temporary control are turned on when the device next restarts.
-## Policy settings for temporary enterprise feature control
+### Policy settings for temporary enterprise feature control
You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
@@ -46,3 +45,33 @@ You can use a policy to enable features that are behind temporary enterprise fea
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
- In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
+
+### Windows 11 features behind temporary enterprise feature control
+
+The following features are behind temporary enterprise control in Windows 11:
+
+| Feature | KB article where the feature was introduced | Feature update that ends temporary control | Notes |
+|---|---|---|---|
+| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update | |
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | |
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature also has a permanent control: **CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. |
+| Dev Home | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | `Get-AppxPackage -Name Microsoft.Windows.DevHome` |
+|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section |
+
+## Permanent enterprise feature control
+
+New features and enhancements used to be introduced only in feature updates. However, with continuous innovation for Windows 11, new features are introduced more frequently through the monthly cumulative update. Some new features can be controlled through policies that enable you to configure them for your organization. When a feature can be controlled by a policy, it has permanent enterprise feature control.
+
+### Windows 11 features with permanent enterprise feature control
+
+The following features introduced through the monthly cumulative updates allow permanent enterprise feature control:
+
+| Feature | KB article where the feature was introduced | Feature enabled by default | CSP and Group Policy |
+|---|---|---|---|
+| Configure search on the taskbar | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9)| Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**|
+| The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start) **Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**|
+| **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View** **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. |
+| Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
+|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**: - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive) - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy) **Group Policies**: - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive** - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 55b211215b..4f608c1dd6 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -80,7 +80,7 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c
## Security
>[!NOTE]
->Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall.
+>Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Credential Guard, and Windows Defender Firewall.
**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index b617d899f5..ad971e7d6a 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -141,11 +141,11 @@ You can add specific rules for a WSL process in Windows Defender Firewall, just
We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge).
-### Windows Defender Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined
+### Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.
+Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.
### Windows 10 Pro S Mode requires a network connection
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index c0202f98fe..d40de13c9d 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -41,9 +41,9 @@ If you're using Windows Update for Business, you'll receive the Windows 10, vers
## Security
-### Windows Defender Credential Guard
+### Credential Guard
-[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
### Microsoft BitLocker
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 37a10475d2..a433405b4e 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -25,7 +25,7 @@ This article lists new and updated features and content that is of interest to I
As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](/lifecycle/faq/windows), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
-To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, including a video, see [How to get the Windows 10 October 2020 Update](https://community.windows.com/videos/how-to-get-the-windows-10-october-2020-update/7c7_mWN0wi8).
+To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**).
## Microsoft Edge
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index 4e91dc9a19..b09c1ab588 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -50,9 +50,9 @@ For more information, see [Smart App Control](/windows/security/threat-protectio
## Credential Guard
-Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
+Compatible Windows 11 Enterprise version 22H2 devices will have **Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
-For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
+For more information, see [Manage Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
## Malicious and vulnerable driver blocking
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
index 5431f9f832..d6f384c4f5 100644
--- a/windows/whats-new/windows-licensing.md
+++ b/windows/whats-new/windows-licensing.md
@@ -67,7 +67,7 @@ The following table describes the unique Windows Enterprise edition features:
| OS-based feature | Description |
|-|-|
-|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
+|**[Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
|**[Managed Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.|
|**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. |
|**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.|
@@ -135,13 +135,13 @@ In most cases, the Windows Pro edition comes pre-installed on a business-class d
- A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers
- A Windows Pro device that was pre-configured for a specific purpose and is certified on Pro only
-In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios.
+In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscription doesn't block these scenarios.
The following table lists the Windows 11 Enterprise features and their Windows edition requirements:
| OS-based feature |Windows Pro|Windows Enterprise|
|-|-|-|
-|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes|
+|**[Credential Guard][WIN-1]**|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
|**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|