From 30873c4fd2a5532cd3ae05430f8eacbc40caf556 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 6 Feb 2024 16:37:06 -0800 Subject: [PATCH 1/7] remove topic type --- education/docfx.json | 1 - windows/application-management/docfx.json | 9 ++++----- windows/hub/docfx.json | 9 ++++----- windows/privacy/docfx.json | 9 ++++----- windows/whats-new/docfx.json | 9 ++++----- 5 files changed, 16 insertions(+), 21 deletions(-) diff --git a/education/docfx.json b/education/docfx.json index f066cfa6c2..4e97e1ed26 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -29,7 +29,6 @@ "globalMetadata": { "recommendations": true, "adobe-target": true, - "ms.topic": "article", "ms.collection": [ "education", "tier2" diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index f9544bebe7..72c7168b1a 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -42,7 +42,6 @@ "uhfHeaderId": "MSDocsHeader-Windows", "ms.service": "windows-client", "ms.subservice": "itpro-apps", - "ms.topic": "article", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { @@ -53,10 +52,10 @@ }, "titleSuffix": "Windows Application Management", "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", "jborsecnik", "tiburd", "garycentric", diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 5f8b9dc5f7..d107b517cb 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -44,7 +44,6 @@ "uhfHeaderId": "MSDocsHeader-Windows", "ms.service": "windows-client", "ms.subservice": "itpro-fundamentals", - "ms.topic": "article", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { @@ -55,10 +54,10 @@ }, "titleSuffix": "Windows for IT Pros", "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", "jborsecnik", "tiburd", "garycentric", diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 92b2620ad7..7f47903935 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -39,7 +39,6 @@ "uhfHeaderId": "MSDocsHeader-Windows", "ms.service": "windows-client", "ms.subservice": "itpro-privacy", - "ms.topic": "article", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { @@ -50,10 +49,10 @@ }, "titleSuffix": "Windows Privacy", "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", "jborsecnik", "tiburd", "garycentric", diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 21719523a0..e54d096bf9 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -41,7 +41,6 @@ "zone_pivot_group_filename": "resources/zone-pivot-groups.json", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-Windows", - "ms.topic": "article", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { @@ -52,10 +51,10 @@ }, "titleSuffix": "What's new in Windows", "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", "jborsecnik", "tiburd", "garycentric", From 8fe5a4a6f123f6ca6a73f003d14fdbf7b6551152 Mon Sep 17 00:00:00 2001 From: Raymond Chen Date: Fri, 9 Feb 2024 14:16:06 -0800 Subject: [PATCH 2/7] Clarify scope of "Create global objects" Applies only to file mapping and symbolic link objects. Also, apples to Windows in general, not just Terminal Services. --- .../security-policy-settings/create-global-objects.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index 9c2e0740b7..e20df384f0 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk. +The **Create global objects** user right is required for a user account to create global file mapping and symbolic link objects. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk. By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right. From 7e7688e9d3ce844ea5a03c4d8c0b5eb8c8e2f3a8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 12 Feb 2024 11:16:02 +0100 Subject: [PATCH 3/7] Add note-devicelock-csp include --- .../hello-for-business/configure.md | 2 ++ .../includes/note-devicelock-csp.md | 11 +++++++++++ .../hello-for-business/policy-settings.md | 2 ++ 3 files changed, 15 insertions(+) create mode 100644 windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md index 7c498d0bb4..d4c47fb6cd 100644 --- a/windows/security/identity-protection/hello-for-business/configure.md +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -72,6 +72,8 @@ There are different ways to enable and configure Windows Hello for Business in I - [Account protection policy][MEM-5] - [Identity protection policy template][MEM-6] +[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)] + ### Verify the tenant-wide policy To check the Windows Hello for Business policy settings applied at enrollment time: diff --git a/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md b/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md new file mode 100644 index 0000000000..3b8bf1d30a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md @@ -0,0 +1,11 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +>[!IMPORTANT] +>If you configure password lenght and complexity settings that are part of the [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock), and PIN lenght and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies. +> +>The DeviceLock CSP utilizes the Exchange ActiveSync Policy Engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287). diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md index 050b2a862d..c8bc44dd24 100644 --- a/windows/security/identity-protection/hello-for-business/policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/policy-settings.md @@ -38,6 +38,8 @@ Select one of the tabs to see the list of available settings: # [:::image type="icon" source="images/pin.svg"::: **PIN settings**](#tab/pin) +[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)] + |Setting Name|CSP|GPO| |-|-|-|-| |[Expiration](#expiration)|✅|✅| From 68bf1016646a7e2aba11831eae57332e21337605 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 12 Feb 2024 11:49:59 +0100 Subject: [PATCH 4/7] Update Windows Hello for Business policy hierarchy --- .../hello-for-business/configure.md | 15 ++++++++++----- .../includes/note-devicelock-csp.md | 11 ----------- .../hello-for-business/policy-settings.md | 2 -- 3 files changed, 10 insertions(+), 18 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md index d4c47fb6cd..625c55a872 100644 --- a/windows/security/identity-protection/hello-for-business/configure.md +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -24,13 +24,20 @@ Some of the Windows Hello for Business policies are available for both computer - Windows Hello for Business policy settings are enforced using the following hierarchy: - User GPO - Computer GPO - - User MDM - - Device MDM - - Device Lock policy + - User MDM (PassportForWork CSP) + - Device MDM (PassportForWork CSP) + - Exchange Active Sync (DeviceLock CSP) >[!IMPORTANT] >All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. + + >[!NOTE] > If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN. @@ -72,8 +79,6 @@ There are different ways to enable and configure Windows Hello for Business in I - [Account protection policy][MEM-5] - [Identity protection policy template][MEM-6] -[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)] - ### Verify the tenant-wide policy To check the Windows Hello for Business policy settings applied at enrollment time: diff --git a/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md b/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md deleted file mode 100644 index 3b8bf1d30a..0000000000 --- a/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2024 -ms.topic: include ---- - ->[!IMPORTANT] ->If you configure password lenght and complexity settings that are part of the [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock), and PIN lenght and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies. -> ->The DeviceLock CSP utilizes the Exchange ActiveSync Policy Engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287). diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md index c8bc44dd24..050b2a862d 100644 --- a/windows/security/identity-protection/hello-for-business/policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/policy-settings.md @@ -38,8 +38,6 @@ Select one of the tabs to see the list of available settings: # [:::image type="icon" source="images/pin.svg"::: **PIN settings**](#tab/pin) -[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)] - |Setting Name|CSP|GPO| |-|-|-|-| |[Expiration](#expiration)|✅|✅| From e129e6c72269c3d7fe0a70e70eb6d2d1fc328468 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 12 Feb 2024 18:30:11 +0100 Subject: [PATCH 5/7] Update Windows Hello for Business configuration documentation --- .../identity-protection/hello-for-business/configure.md | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md index 625c55a872..ba9a89f070 100644 --- a/windows/security/identity-protection/hello-for-business/configure.md +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -29,14 +29,9 @@ Some of the Windows Hello for Business policies are available for both computer - Exchange Active Sync (DeviceLock CSP) >[!IMPORTANT] ->All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. - - +>The DeviceLock CSP utilizes the Exchange ActiveSync Policy (EAS) engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287(v=ws.11)). >[!NOTE] > If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN. From 1715f7c8993304877902d0c5de540298fe310807 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 12 Feb 2024 18:36:58 +0100 Subject: [PATCH 6/7] Fix typos and clarify wording in Windows Hello for Business configuration guide --- .../hello-for-business/configure.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md index ba9a89f070..99023982ca 100644 --- a/windows/security/identity-protection/hello-for-business/configure.md +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -13,14 +13,14 @@ This article describes the options to configure Windows Hello for Business in an You can configure Windows Hello for Business by using the following options: -- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer), which are usually used at deployment time or for unamanged devices. To configure Windows Hello for Business, use the [PassportForWork CSP][CSP-2] +- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer), which are usually used at deployment time or for unmanaged devices. To configure Windows Hello for Business, use the [PassportForWork CSP][CSP-2] - Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and aren't managed by a device management solution ## Policy precedence Some of the Windows Hello for Business policies are available for both computer and user configuration. The following list describes the policy precedence for Windows Hello for Business: -- *User policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used +- *User policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy isn't set, the computer policy is used - Windows Hello for Business policy settings are enforced using the following hierarchy: - User GPO - Computer GPO @@ -65,9 +65,9 @@ For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enr There are different ways to enable and configure Windows Hello for Business in Intune: - Using a policy applied at the tenant level. The tenant policy: - - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune + - Is only applied at enrollment time, and any changes to its configuration doesn't apply to devices already enrolled in Intune - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group -- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: +- A device configuration policy that is applied *after* device enrollment. Any changes to the policy are applied to the devices during regular policy refresh intervals. There are different policy types to choose from: - [Settings catalog][MEM-1] - [Security baselines][MEM-2] - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] @@ -78,16 +78,16 @@ There are different ways to enable and configure Windows Hello for Business in I To check the Windows Hello for Business policy settings applied at enrollment time: -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) 1. Select **Devices** > **Windows** > **Windows Enrollment** 1. Select **Windows Hello for Business** -1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured +1. Verify the status of **Configure Windows Hello for Business** and any settings that might be configured :::image type="content" source="deploy/images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="deploy/images/whfb-intune-disable.png"::: ## Policy conflicts from multiple policy sources -Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared. +Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business. If you mix GPO and CSP policy settings, the CSP settings are ignored until all group policy settings are cleared. > [!IMPORTANT] > The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*. From 4dbe49cedd148f6e3dfb3e58c82c7a612ae18dc3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 12 Feb 2024 18:42:01 +0100 Subject: [PATCH 7/7] Update Windows Hello for Business policy hierarchy --- .../hello-for-business/configure.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md index 99023982ca..6d581f8f55 100644 --- a/windows/security/identity-protection/hello-for-business/configure.md +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -22,14 +22,14 @@ Some of the Windows Hello for Business policies are available for both computer - *User policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy isn't set, the computer policy is used - Windows Hello for Business policy settings are enforced using the following hierarchy: - - User GPO - - Computer GPO - - User MDM (PassportForWork CSP) - - Device MDM (PassportForWork CSP) - - Exchange Active Sync (DeviceLock CSP) + - User - GPO + - Computer - GPO + - User - PassportForWork CSP + - Device - PassportForWork CSP + - Exchange Active Sync - [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock) >[!IMPORTANT] ->If you configure password length and complexity settings defined by the [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock), and PIN length and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies. +>If you configure password length and complexity settings defined by the DeviceLock CSP, and PIN length and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies. > >The DeviceLock CSP utilizes the Exchange ActiveSync Policy (EAS) engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287(v=ws.11)).