From 55aff11d116cf0e7a345a3fcd83ee57ca50e528a Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 5 Jan 2022 11:31:03 +0200 Subject: [PATCH 01/18] Update info https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10021 --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 66e88ee1a6..b033cf57b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -100,7 +100,7 @@ sections: [Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience) - For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. + For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to corporate network. Destructive PIN reset requires access to corporate network. More details about destructive and non-destructive PIN reset can be found [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). - question: What URLs do I need to allow for a hybrid deployment? answer: | From 6b861b7d7dc6855f8b2d91d185d1685760207799 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 6 Jan 2022 11:35:22 +0200 Subject: [PATCH 02/18] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index b033cf57b3..b4dc152193 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -100,7 +100,7 @@ sections: [Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience) - For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to corporate network. Destructive PIN reset requires access to corporate network. More details about destructive and non-destructive PIN reset can be found [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). + For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). - question: What URLs do I need to allow for a hybrid deployment? answer: | From 237bd91ea6d78183a706fc2bebfe7065f5db381a Mon Sep 17 00:00:00 2001 From: Adam Shapiro <45466550+adamoboe@users.noreply.github.com> Date: Tue, 11 Jan 2022 18:28:29 -0800 Subject: [PATCH 03/18] Update virus-initiative-criteria.md updated the list of third party test providers --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 0441e00ed4..272227666c 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -45,9 +45,7 @@ Test Provider | Lab Test Type | Minimum Level / Score AV-Comparatives | Real-World Protection Test
https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted
https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) ICSA Labs | Endpoint Anti-Malware Detection
https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified -NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities
https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
http://www.skdlabs.com/html/english/
http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests -SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating
https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating VB 100 | VB100 Certification Test V1.1
https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification West Coast Labs | Checkmark Certified
http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance From 274c2c840d5793b8a806f4a606d91f072ef0563f Mon Sep 17 00:00:00 2001 From: Ben Watt <13239035+wattbt@users.noreply.github.com> Date: Thu, 13 Jan 2022 12:27:22 +0000 Subject: [PATCH 04/18] Minor rewording for clarity Some minor rewording to make it clearer about how to turn off Config Lock, what the last section before the FAQ is about, and to better explain why the Firmware protection image is there. Also took the opportunity to improve the image descriptions. --- windows/client-management/mdm/config-lock.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md index f1bee95c6a..a13a98d8b4 100644 --- a/windows/client-management/mdm/config-lock.md +++ b/windows/client-management/mdm/config-lock.md @@ -48,31 +48,31 @@ The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Int - **Profile type**: Templates - **Template name**: Custom - :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile"::: + :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates"::: 1. Name your profile. 1. When you reach the Configuration Settings step, select “Add” and add the following information: - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock - **Data type**: Integer - **Value**: 1
- To turn off Config Lock. Change value to 0. + To turn off Config Lock, change the value to 0. - :::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row"::: + :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1"::: 1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”. 1. You'll not need to set any applicability rules for test purposes. 1. Review the Configuration and select “Create” if everything is correct. 1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled. - :::image type="content" source="images/configlock-mem-dev.png" alt-text="status"::: + :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied"::: - :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status"::: + :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending"::: -## Disabling +## Configuring Secured-Core PC features -Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune. +Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune. -:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect"::: +:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off"::: ## FAQ From ebd201659caadd25441a93de831e4cd409cef608 Mon Sep 17 00:00:00 2001 From: Libby Brown <40281215+libbro2006@users.noreply.github.com> Date: Thu, 10 Feb 2022 15:30:44 -0800 Subject: [PATCH 05/18] Update hello-faq.yml Updating a very out of date question around shared devices & FIDO2 security keys. --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 66e88ee1a6..bb118cd3af 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -48,7 +48,7 @@ sections: - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer? answer: | - The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. + The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, we strongly encourage the use of FIDO2 security keys. - question: How can a PIN be more secure than a password? answer: | From 681af954b9224731feb9f8240f3a67af4395b385 Mon Sep 17 00:00:00 2001 From: Michael Mardahl Date: Wed, 16 Feb 2022 11:51:52 +0100 Subject: [PATCH 06/18] Update hello-faq.yml Added missing information about what happens when PIN policy is changed and that Intune can also be used besides just Configuration manager. #ATCP --- .../identity-protection/hello-for-business/hello-faq.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 66e88ee1a6..c7a144f461 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -45,6 +45,10 @@ sections: - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? answer: | Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings). + + - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Manager Intune? + answer: | + Windows Hello for Business deployments using Intune allows for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer? answer: | @@ -101,6 +105,11 @@ sections: [Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience) For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. + + - question: What happens when a PIN policy is changed? + answer: | + Once a new policy is applied to the users device, the user will be asked to change their PIN once they have typed in the current PIN. + If more than one policy is applied, the most restrictive setting will win. - question: What URLs do I need to allow for a hybrid deployment? answer: | From 5e26ffe91c26a59bce5720f3e23f98da1ecde7c0 Mon Sep 17 00:00:00 2001 From: Michael Mardahl Date: Thu, 17 Feb 2022 06:40:35 +0100 Subject: [PATCH 07/18] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index c7a144f461..e565082227 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -48,7 +48,7 @@ sections: - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Manager Intune? answer: | - Windows Hello for Business deployments using Intune allows for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). + Windows Hello for Business deployments using Intune allow for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer? answer: | From bd9e9a4cad015ea225172a292880fed54fbf498a Mon Sep 17 00:00:00 2001 From: Michael Mardahl Date: Thu, 17 Feb 2022 06:40:51 +0100 Subject: [PATCH 08/18] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index e565082227..3b2ff6cf66 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -108,7 +108,7 @@ sections: - question: What happens when a PIN policy is changed? answer: | - Once a new policy is applied to the users device, the user will be asked to change their PIN once they have typed in the current PIN. + Once a new policy is applied to the user's device, the user will be asked to change their PIN once they have typed in the current PIN. If more than one policy is applied, the most restrictive setting will win. - question: What URLs do I need to allow for a hybrid deployment? From 0b6731eb371f99e99a390ad368d0873baa0ee9de Mon Sep 17 00:00:00 2001 From: Michael Mardahl Date: Thu, 17 Feb 2022 06:41:03 +0100 Subject: [PATCH 09/18] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 3b2ff6cf66..f5dd866ec2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -109,7 +109,7 @@ sections: - question: What happens when a PIN policy is changed? answer: | Once a new policy is applied to the user's device, the user will be asked to change their PIN once they have typed in the current PIN. - If more than one policy is applied, the most restrictive setting will win. + If more than one policy is applied, the most restrictive setting will apply. - question: What URLs do I need to allow for a hybrid deployment? answer: | From 979e6e97c23b21c5b4263286773e6e4ac7e2ab01 Mon Sep 17 00:00:00 2001 From: Masaru Iritani <25241373+masaru-iritani@users.noreply.github.com> Date: Thu, 3 Mar 2022 12:01:40 +0900 Subject: [PATCH 10/18] Update TouchKeyboardEmojiButtonAvailability description --- windows/client-management/mdm/policy-csp-textinput.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index be2edb8989..40575391b4 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1084,15 +1084,15 @@ The following list shows the supported values: -Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled. +Specifies whether the emoji, GIF (only in Windows 11), and kaomoji (only in Windows 11) buttons are available or unavailable for the touch keyboard. When this policy is set to disabled, the buttons are hidden and unavailable. The following list shows the supported values: -- 0 (default) - The OS determines when it's most appropriate to be available. -- 1 - Emoji button on keyboard is always available. -- 2 - Emoji button on keyboard is always disabled. +- 0 (default) - The OS determines when buttons are most appropriate to be available. +- 1 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always available. +- 2 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always unavailable. From 53d7af922b089922077c3bb4fae4c9c493501bde Mon Sep 17 00:00:00 2001 From: Simon Biber Date: Thu, 3 Mar 2022 17:56:37 +1030 Subject: [PATCH 11/18] Complexity requirements reduce password strength Long passwords with only alphanumeric characters are not easy to compromise. Short passwords are easy to compromise. Adding length is more important than adding complexity. The article provides a number 218,340,105,584,896 different possibilities for a single password. That number is clearly based on the calculation (26 + 26 + 10)^8 = 218,340,105,584,896 on the basis the 8 characters may be any of 26 uppercase letters, 26 lowercase and 10 digits. However, turning on complexity requirements will ensure that there are at least 3 categories of character, and eliminate some of those possibilities. It will eliminate cases where there were no digits, cases where there are no uppercase letters, and cases where there are no lowercase letters. |---|---| |eight characters of any uppercase, lowercase *or* digits|218,340,105,584,896| | | ... minus ... | |eight characters of uppercase or lowercase with no digits|53,459,728,531,456| | | ... minus ... | |eight characters of lowercase or digits with no uppercase|2,821,109,907,456| | | ... minus ... | |eight characters of uppercase or digits with no lowercase|2,821,109,907,456| | | ... equals ... | |eight characters of uppercase, lowercase *and* digits|159,238,157,238,528| Rather than enforcing complexity, administrators are better off increasing the minimum length. A minimum length of 11 instead of 8 would be sufficient to add so many more possibilities that even if users only used lowercase letters, there are more possibilities of 11 lowercase letters than there are of 8 complex characters: 8 complex characters = 62^8 = 218,340,105,584,896 possibilities 11 lowercase letters = 26^11 = 3,670,344,486,987,776 possibilities --- .../password-must-meet-complexity-requirements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 7928508380..74efe115ae 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -62,11 +62,11 @@ Additional settings that can be included in a custom Passfilt.dll are the use of > [!TIP] > For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance). -Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible. +Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible. The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add more complexity to the password.) -Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements. +Short passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and/or meet complexity requirements. ### Location From 139dd2cf0a7716d05b191b720ece999e9b110253 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 3 Mar 2022 13:27:29 -0800 Subject: [PATCH 12/18] Update policy-csp-textinput.md --- windows/client-management/mdm/policy-csp-textinput.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 40575391b4..f65160e893 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 03/03/2022 ms.reviewer: manager: dansimp --- From 2f3fc592ff3a295a04165a87302413a740b9f2a7 Mon Sep 17 00:00:00 2001 From: Anthony Swierkosz Date: Sun, 6 Mar 2022 20:50:55 -0500 Subject: [PATCH 13/18] Fixes #10396, spelling and formatting for provisioning multivariant code --- .../provisioning-multivariant.md | 232 +++++++++--------- 1 file changed, 116 insertions(+), 116 deletions(-) diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 028b44c522..d4e1cc8ad0 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -121,30 +121,30 @@ Follow these steps to create a provisioning package with multivariant capabiliti The following example shows the contents of a sample customizations.xml file. ```XML - <?xml version="1.0" encoding="utf-8"?> - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - 0 - 0 - 0 - - - 0 - - - - - + + + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} + My Provisioning Package + 1.0 + OEM + 50 + + + + + + 0 + 0 + 0 + + + 0 + + + + + ``` 5. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. @@ -152,48 +152,48 @@ Follow these steps to create a provisioning package with multivariant capabiliti The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**. ```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - 0 - 0 - 0 - - - 0 - - - - - - - - - - - - - - - - - - - - - - - + + + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} + My Provisioning Package + 1.0 + OEM + 50 + + + + + + 0 + 0 + 0 + + + 0 + + + + + + + + + + + + + + + + + + + + + + + ``` 6. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this: @@ -212,56 +212,56 @@ Follow these steps to create a provisioning package with multivariant capabiliti The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met. ```XML - <?xml version="1.0" encoding="utf-8"?> - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - 1 - 1 - - - 1 - - - - - - + + + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} + My Provisioning Package + 1.0 + OEM + 50 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + 1 + 1 + + + 1 + + + + + + ``` 7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step. From dd3cd748c45ec7cf53119565286adadb37af6ec0 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 8 Mar 2022 02:11:04 +0200 Subject: [PATCH 14/18] Update hello-why-pin-is-better-than-password.md implementing suggestions given in this task https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10328 --- .../hello-why-pin-is-better-than-password.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 0635a17b37..bf1676989e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,6 +1,6 @@ --- -title: Why a PIN is better than a password (Windows) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . +title: Why a PIN is better than an online password (Windows) +description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password . ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 keywords: pin, security, password, hello ms.prod: m365-security @@ -19,42 +19,44 @@ ms.localizationpriority: medium ms.date: 10/23/2017 --- -# Why a PIN is better than a password +# Why a PIN is better than an online password **Applies to** - Windows 10 - Windows 11 -Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works. +Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: 'local' passwords are validated against the machine's password store, whereas 'online' passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. -Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password. +Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. > [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA] ## PIN is tied to the device -One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! +One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. ## PIN is local to the device -A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. +An online password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. +Note, however, that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section. >[!NOTE] >For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).   ## PIN is backed by hardware -The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. +The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. + ## PIN can be complex The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits. From 7ee0c447d1cf0554ec2e142bb3c55e4e90e0a458 Mon Sep 17 00:00:00 2001 From: Florian Stosse Date: Tue, 8 Mar 2022 18:24:05 +0100 Subject: [PATCH 15/18] [WDAC] Fix instructions order for UEFI deployment Fix https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10403 --- .../deployment/deploy-wdac-policies-with-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 4368a1ce60..a51d73c403 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -88,8 +88,8 @@ In addition to the steps outlined above, the binary policy file must also be cop $MountPoint = 'C:\EFI' $EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active" $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] - mkdir $EFIDestinationFolder mountvol $MountPoint $EFIPartition + mkdir $EFIDestinationFolder ``` 2. Copy the signed policy to the created folder: From f808c1aa702e5ccff708288440d7d014203849d5 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 8 Mar 2022 10:44:37 -0800 Subject: [PATCH 16/18] Update windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-why-pin-is-better-than-password.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index bf1676989e..755677290b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -27,7 +27,7 @@ ms.date: 10/23/2017 - Windows 11 Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: 'local' passwords are validated against the machine's password store, whereas 'online' passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. From 1c4cbd6da537f1bb1fa42ccdc824747e813acc4b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Mar 2022 11:20:19 -0800 Subject: [PATCH 17/18] Update deploy-wdac-policies-with-script.md --- .../deployment/deploy-wdac-policies-with-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index a51d73c403..e7c5dca396 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -10,7 +10,7 @@ ms.reviewer: jogeurte ms.author: jogeurte ms.manager: jsuther manager: dansimp -ms.date: 11/06/2021 +ms.date: 03/08/2022 ms.technology: windows-sec ms.topic: article ms.localizationpriority: medium From dc5b13a4959c8aa127273cdf02b4d71346711c53 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Tue, 8 Mar 2022 12:49:59 -0700 Subject: [PATCH 18/18] Update hello-why-pin-is-better-than-password.md --- .../hello-for-business/hello-why-pin-is-better-than-password.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 755677290b..6c4c54aee9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -43,7 +43,7 @@ Even you can't use that PIN anywhere except on that specific device. If you want An online password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. -Note, however, that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section. +However, note that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section. >[!NOTE] >For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).