mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-18 16:27:22 +00:00
Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20221214-whfb-hybrid
This commit is contained in:
Paolo Matarazzo
commit
3d577b4484
@ -2,6 +2,14 @@
|
||||
|
||||
|
||||
|
||||
## Week of December 19, 2022
|
||||
|
||||
|
||||
| Published On |Topic title | Change |
|
||||
|------|------------|--------|
|
||||
| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
|
||||
|
||||
|
||||
## Week of December 12, 2022
|
||||
|
||||
|
||||
|
||||
@ -79,71 +79,71 @@ The following table lists all the applications included in Windows 11 SE and the
|
||||
|
||||
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
|
||||
|
||||
| Application | Supported version | App Type | Vendor |
|
||||
|-----------------------------------------|-------------------|----------|------------------------------|
|
||||
| 3d builder | 15.2.10821.1070 | Win32 | Microsoft |
|
||||
|Absolute Software Endpoint Agent | 7.20.0.1 | Win32 | Absolute Software Corporation|
|
||||
| AirSecure | 8.0.0 | Win32 | AIR |
|
||||
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
|
||||
| Brave Browser | 106.0.5249.65 | Win32 | Brave |
|
||||
| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb |
|
||||
| CA Secure Browser | 14.0.0 | Win32 | Cambium Development |
|
||||
| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco |
|
||||
| CKAuthenticator | 3.6+ | Win32 | Content Keeper |
|
||||
| Class Policy | 114.0.0 | Win32 | Class Policy |
|
||||
| Classroom.cloud | 1.40.0004 | Win32 | NetSupport |
|
||||
| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights |
|
||||
| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications |
|
||||
| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation |
|
||||
| Duo from Cisco | 2.25.0 | Win32 | Cisco |
|
||||
| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking |
|
||||
| Epson iProjection | 3.31 | Win32 | Epson |
|
||||
| eTests | 4.0.25 | Win32 | CASAS |
|
||||
| FortiClient | 7.2.0.4034+ | Win32 | Fortinet |
|
||||
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
|
||||
| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd |
|
||||
| GoGuardian | 1.4.4 | Win32 | GoGuardian |
|
||||
| Google Chrome | 102.0.5005.115 | Win32 | Google |
|
||||
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |
|
||||
| Immunet | 7.5.0.20795 | Win32 | Immunet |
|
||||
| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software |
|
||||
| Inspiration 10 | 10.11 | Win32 | TechEdology Ltd |
|
||||
| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific |
|
||||
| Kite Student Portal | 9.0.0.0 | Win32 | Dynamic Learning Maps |
|
||||
| Kortext | 2.3.433.0 | Store | Kortext |
|
||||
| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems |
|
||||
| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. |
|
||||
| LanSchool Air | 2.0.13312 | Win32 | Stoneware, Inc. |
|
||||
| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems |
|
||||
| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation |
|
||||
| Microsoft Connect | 10.0.22000.1 | Store | Microsoft |
|
||||
| Mozilla Firefox | 99.0.1 | Win32 | Mozilla |
|
||||
| NAPLAN | 2.5.0 | Win32 | NAP |
|
||||
| Netref Student | 22.2.0 | Win32 | NetRef |
|
||||
| NetSupport Manager | 12.01.0014 | Win32 | NetSupport |
|
||||
| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport |
|
||||
| NetSupport School | 14.00.0011 | Win32 | NetSupport |
|
||||
| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies |
|
||||
| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access |
|
||||
| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA |
|
||||
| PaperCut | 22.0.6 | Win32 | PaperCut Software International Pty Ltd |
|
||||
| Pearson TestNav | 1.10.2.0 | Store | Pearson |
|
||||
| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc |
|
||||
| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. |
|
||||
| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft |
|
||||
| Remote Help | 3.8.0.12 | Win32 | Microsoft |
|
||||
| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus |
|
||||
| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser |
|
||||
| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud |
|
||||
| Smoothwall Monitor | 2.8.0 | Win32 | Smoothwall Ltd
|
||||
| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access |
|
||||
| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access |
|
||||
| VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc |
|
||||
| Winbird | 19 | Win32 | Winbird Co., Ltd. |
|
||||
| WordQ | 5.4.23 | Win32 | Mathetmots |
|
||||
| Zoom | 5.9.1 (2581) | Win32 | Zoom |
|
||||
| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific |
|
||||
| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific |
|
||||
| Application | Supported version | App Type | Vendor |
|
||||
|-------------------------------------------|-------------------|----------|-------------------------------------------|
|
||||
| `3d builder` | `18.0.1931.0` | Win32 | `Microsoft` |
|
||||
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
|
||||
| `AirSecure` | 8.0.0 | Win32 | `AIR` |
|
||||
| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
|
||||
| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
|
||||
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
|
||||
| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
|
||||
| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
|
||||
| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
|
||||
| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
|
||||
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
|
||||
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
|
||||
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
|
||||
| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
|
||||
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
|
||||
| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
|
||||
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
|
||||
| `eTests` | 4.0.25 | Win32 | `CASAS` |
|
||||
| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
|
||||
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
|
||||
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
|
||||
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
|
||||
| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
|
||||
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
|
||||
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
|
||||
| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
|
||||
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
|
||||
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
|
||||
| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
|
||||
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
|
||||
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
|
||||
| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
|
||||
| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
|
||||
| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
|
||||
| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
|
||||
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
|
||||
| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
|
||||
| `NAPLAN` | 2.5.0 | Win32 | `NAP` |
|
||||
| `Netref Student` | 22.2.0 | Win32 | `NetRef` |
|
||||
| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
|
||||
| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
|
||||
| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
|
||||
| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
|
||||
| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
|
||||
| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
|
||||
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
|
||||
| `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` |
|
||||
| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
|
||||
| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
|
||||
| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
|
||||
| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
|
||||
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
|
||||
| `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` |
|
||||
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
|
||||
| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
|
||||
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
|
||||
| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
|
||||
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
|
||||
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
|
||||
| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
|
||||
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
|
||||
| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
|
||||
| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
|
||||
|
||||
## Add your own applications
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Azure Active Directory integration with MDM
|
||||
description: Azure Active Directory is the world largest enterprise cloud identity management service.
|
||||
description: Azure Active Directory is the world's largest enterprise cloud identity management service.
|
||||
ms.reviewer:
|
||||
manager: aaroncz
|
||||
ms.author: vinpa
|
||||
@ -14,7 +14,7 @@ ms.date: 12/31/2017
|
||||
|
||||
# Azure Active Directory integration with MDM
|
||||
|
||||
Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
|
||||
Azure Active Directory is the world's largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
|
||||
|
||||
Once a device is enrolled in MDM, the MDM:
|
||||
|
||||
|
||||
@ -337,7 +337,7 @@ To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then si
|
||||
|
||||
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
|
||||
|
||||
`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
|
||||
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
|
||||
|
||||
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
|
||||
|
||||
|
||||
@ -28,12 +28,18 @@ sections:
|
||||
- question: What are the prerequisites and hardware requirements?
|
||||
answer: |
|
||||
- Azure subscription
|
||||
- Hardware to host Microsoft Connected Cache:
|
||||
- Hardware to host Microsoft Connected Cache
|
||||
- Ubuntu 20.04 LTS on a physical server or VM of your choice.
|
||||
|
||||
> [!NOTE]
|
||||
> The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS.
|
||||
|
||||
The following are recommended hardware configurations:
|
||||
|
||||
<!--Using include file, mcc-prerequisites.md, for shared content on DO monitoring-->
|
||||
[!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)]
|
||||
|
||||
We have one customer who is able to achieve 40-Gbps egress rate using the following hardware specification:
|
||||
We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification:
|
||||
- Dell PowerEdge R330
|
||||
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
|
||||
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
|
||||
|
||||
@ -64,7 +64,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
|
||||
| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
|
||||
| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
|
||||
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 |
|
||||
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 1809 |
|
||||
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 |
|
||||
| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 |
|
||||
| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 |
|
||||
|
||||
|
||||
@ -21,6 +21,7 @@ ms.date: 12/31/2017
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server
|
||||
|
||||
## What is a servicing stack update?
|
||||
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
|
||||
@ -61,3 +62,5 @@ Typically, the improvements are reliability and performance improvements that do
|
||||
## Simplifying on-premises deployment of servicing stack updates
|
||||
|
||||
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
|
||||
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ author: mestew
|
||||
ms.author: mstewart
|
||||
ms.localizationpriority: medium
|
||||
ms.topic: article
|
||||
ms.date: 12/05/2022
|
||||
ms.date: 12/22/2022
|
||||
ms.technology: itpro-updates
|
||||
---
|
||||
|
||||
@ -27,7 +27,7 @@ This article is targeted at configuring devices enrolled to [Microsoft Intune](/
|
||||
|
||||
## Create a configuration profile
|
||||
|
||||
Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports:
|
||||
Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports (select one):
|
||||
- The [settings catalog](#settings-catalog)
|
||||
- [Template](#custom-oma-uri-based-profile) for a custom OMA URI-based profile
|
||||
|
||||
@ -45,9 +45,12 @@ Create a configuration profile that will set the required policies for Windows U
|
||||
- **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*)
|
||||
- **Setting**: Allow Update Compliance Processing
|
||||
- **Value**: Enabled
|
||||
1. Recommended settings, but not required:
|
||||
- **Setting**: Configure Telemetry Opt In Settings Ux
|
||||
- **Value**: Disabled (*By turning this setting on you are disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports*)
|
||||
- **Setting**: Configure Telemetry Opt In Change Notification
|
||||
1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports:
|
||||
- **Setting**: Allow device name to be sent in Windows diagnostic data
|
||||
- **Value**: Disabled (*By turning this setting on you are disabling notifications of diagnostic data changes*)
|
||||
- **Setting**: Allow device name to be sent in Windows diagnostic data (*If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports*)
|
||||
- **Value**: Allowed
|
||||
|
||||
1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
|
||||
|
||||
@ -203,6 +203,7 @@ The following table indicates which command-line options aren't compatible with
|
||||
|**/encrypt**|Required*|X|X||
|
||||
|**/keyfile**|N/A||X||
|
||||
|**/l**|||||
|
||||
|**/listfiles**|||X||
|
||||
|**/progress**|||X||
|
||||
|**/r**|||X||
|
||||
|**/w**|||X||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
### YamlMime:FAQ
|
||||
metadata:
|
||||
title: Windows Hello for Business Frequently Asked Questions (FAQ)
|
||||
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
|
||||
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
|
||||
keywords: identity, PIN, biometric, Hello, passport
|
||||
ms.prod: windows-client
|
||||
ms.technology: itpro-security
|
||||
@ -29,16 +29,16 @@ sections:
|
||||
|
||||
- question: What is Windows Hello for Business cloud Kerberos trust?
|
||||
answer: |
|
||||
Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
|
||||
Windows Hello for Business *cloud Kerberos trust* is a **trust model** that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
|
||||
|
||||
|
||||
- question: What about virtual smart cards?
|
||||
answer: |
|
||||
Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8.
|
||||
Windows Hello for Business is the modern, two-factor credential for Windows. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows deployments use Windows Hello for Business.
|
||||
|
||||
- question: What about convenience PIN?
|
||||
answer: |
|
||||
Microsoft is committed to its vision of a <u>world without passwords.</u> We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends that customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
|
||||
While *convenience PIN* provides a convenient way to sign in to Windows, it stills uses a password for authentication. Customers using *convenience PINs* should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
|
||||
|
||||
- question: Can I use Windows Hello for Business key trust and RDP?
|
||||
answer: |
|
||||
@ -63,7 +63,7 @@ sections:
|
||||
|
||||
- question: How can a PIN be more secure than a password?
|
||||
answer: |
|
||||
When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
|
||||
When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
|
||||
The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
|
||||
|
||||
- question: What's a container?
|
||||
@ -94,7 +94,7 @@ sections:
|
||||
|
||||
- question: Can I use a convenience PIN with Azure Active Directory?
|
||||
answer: |
|
||||
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
|
||||
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. However, convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
|
||||
|
||||
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
|
||||
answer: |
|
||||
@ -169,7 +169,7 @@ sections:
|
||||
|
||||
- question: Where is Windows Hello biometrics data stored?
|
||||
answer: |
|
||||
When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
|
||||
When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
|
||||
|
||||
- question: What is the format used to store Windows Hello biometrics data on the device?
|
||||
answer: |
|
||||
@ -233,9 +233,9 @@ sections:
|
||||
|
||||
- question: How does PIN caching work with Windows Hello for Business?
|
||||
answer: |
|
||||
Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.
|
||||
Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.
|
||||
|
||||
Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
|
||||
Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
|
||||
|
||||
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching.
|
||||
|
||||
|
||||
@ -45,9 +45,9 @@ Windows stores biometric data that is used to implement Windows Hello securely o
|
||||
|
||||
## The difference between Windows Hello and Windows Hello for Business
|
||||
|
||||
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it's not backed by asymmetric (public/private key) or certificate-based authentication.
|
||||
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as *Windows Hello convenience PIN* and it's not backed by asymmetric (public/private key) or certificate-based authentication.
|
||||
|
||||
- **Windows Hello for Business**, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than **Windows Hello convenience PIN**.
|
||||
- *Windows Hello for Business*, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than *Windows Hello convenience PIN*.
|
||||
|
||||
## Benefits of Windows Hello
|
||||
|
||||
|
||||
@ -35,6 +35,11 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
|
||||
|
||||
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
|
||||
|
||||
> [!NOTE]
|
||||
> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
|
||||
> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
|
||||
> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).
|
||||
|
||||
## Managing workplace-joined PCs and phones
|
||||
|
||||
For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
|
||||
|
||||
@ -48,11 +48,11 @@ ms.date: 12/13/2022
|
||||
|
||||
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
|
||||
|
||||
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
|
||||
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
|
||||
|
||||
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
|
||||
|
||||
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
|
||||
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
|
||||
|
||||
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
|
||||
|
||||
|
||||
@ -20,8 +20,9 @@ ms.date: 12/31/2017
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2022
|
||||
- Windows Server 2019
|
||||
- Windows Server 2016
|
||||
|
||||
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
|
||||
|
||||
@ -74,15 +75,14 @@ Some things that you can check on the device are:
|
||||
- Is SecureBoot supported and enabled?
|
||||
|
||||
> [!NOTE]
|
||||
> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
|
||||
> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
|
||||
|
||||
## Supported versions for device health attestation
|
||||
|
||||
| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 |
|
||||
|-------------|-------------|-------------|---------------------|---------------------|
|
||||
| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes |
|
||||
| TPM 2.0 | Yes | Yes | Yes | Yes |
|
||||
|
||||
| TPM version | Windows 11 | Windows 10 | Windows Server 2022 | Windows Server 2019 | Windows Server 2016 |
|
||||
|-------------|-------------|-------------|---------------------|---------------------|---------------------|
|
||||
| TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 |
|
||||
| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -171,4 +171,8 @@ Resource SACLs are also useful for diagnostic scenarios. For example, administra
|
||||
|
||||
This category includes the following subcategories:
|
||||
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
|
||||
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
|
||||
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
|
||||
|
||||
@ -38,6 +38,6 @@ Basic security audit policy settings are found under Computer Configuration\\Win
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
|
||||
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
|
||||
|
||||
|
||||
|
||||
@ -158,15 +158,15 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
|
||||
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
|
||||
|
||||
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
|
||||
|
||||
> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
|
||||
|
||||
@ -218,4 +218,4 @@ For 4661(S, F): A handle to an object was requested.
|
||||
|
||||
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
|
||||
|
||||
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
|
||||
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
|
||||
|
||||
@ -126,12 +126,12 @@ These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access requ
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
## Security Monitoring Recommendations
|
||||
|
||||
For 4691(S): Indirect access to an object was requested.
|
||||
|
||||
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
|
||||
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
|
||||
|
||||
@ -133,7 +133,7 @@ This event generates once per session, when first access attempt was made.
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event.
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. It always has “**0x1**” value for this event.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
|
||||
|
||||
|
||||
@ -135,7 +135,7 @@ This event generates every time network share object (file or folder) was access
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights.
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
|
||||
|
||||
@ -319,4 +319,4 @@ For 5145(S, F): A network share object was checked to see whether client can be
|
||||
|
||||
- WRITE\_DAC
|
||||
|
||||
- WRITE\_OWNER
|
||||
- WRITE\_OWNER
|
||||
|
||||
@ -82,7 +82,7 @@ Application Guard functionality is turned off by default. However, you can quick
|
||||
3. Type the following command:
|
||||
|
||||
```
|
||||
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
|
||||
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
|
||||
```
|
||||
4. Restart the device.
|
||||
|
||||
|
||||
@ -22,6 +22,7 @@ ms.technology: itpro-security
|
||||
# Account lockout duration
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Account Lockout Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the Account Lockout Policy settings and links to information about each policy setting.
|
||||
|
||||
@ -22,6 +22,7 @@ ms.technology: itpro-security
|
||||
# Account lockout threshold
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Account Policies
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
An overview of account policies in Windows and provides links to policy descriptions.
|
||||
|
||||
@ -94,7 +94,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
|
||||
|
||||
**To administer security policies by using the Security Compliance Manager**
|
||||
|
||||
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](/archive/blogs/secguide/) blog.
|
||||
1. Download the most recent version. You can find more info on the [Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) blog.
|
||||
1. Read the relevant security baseline documentation that is included in this tool.
|
||||
1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
|
||||
1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Audit Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Provides information about basic audit policies that are available in Windows and links to information about each setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Enforce password history
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Maximum password age
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.
|
||||
|
||||
@ -19,6 +19,7 @@ ms.topic: conceptual
|
||||
# Minimum password age
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.
|
||||
@ -90,4 +91,4 @@ If you set a password for a user but want that user to change the password when
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Password Policy](password-policy.md)
|
||||
- [Password Policy](password-policy.md)
|
||||
|
||||
@ -22,6 +22,7 @@ ms.technology: itpro-security
|
||||
# Minimum password length
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.
|
||||
|
||||
@ -22,6 +22,7 @@ ms.date: 12/31/2017
|
||||
# Password must meet complexity requirements
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.
|
||||
|
||||
@ -22,6 +22,7 @@ ms.technology: itpro-security
|
||||
# Password Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
An overview of password policies for Windows and links to information for each policy setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Reset account lockout counter after
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting.
|
||||
@ -76,4 +77,4 @@ If you don't configure this policy setting or if the value is configured to an i
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Account Lockout Policy](account-lockout-policy.md)
|
||||
- [Account Lockout Policy](account-lockout-policy.md)
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Advanced security audit policy settings for Windows 10
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Store passwords using reversible encryption
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.
|
||||
|
||||
@ -398,6 +398,17 @@ The following GPO snippet performs the following tasks:
|
||||
|
||||
|
||||
|
||||
The following table also contains the six actions to configure in the GPO:
|
||||
|
||||
| Program/Script | Arguments |
|
||||
|------------------------------------|----------------------------------------------------------------------------------------------------------|
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768 |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768 |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896 |
|
||||
|
||||
## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
|
||||
|
||||
Here are the minimum steps for WEF to operate:
|
||||
@ -656,4 +667,4 @@ You can get more info with the following links:
|
||||
- [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
|
||||
- [Event Query Schema](/windows/win32/wes/queryschema-schema)
|
||||
- [Windows Event Collector](/windows/win32/wec/windows-event-collector)
|
||||
- [4625(F): An account failed to log on](./auditing/event-4625.md)
|
||||
- [4625(F): An account failed to log on](./auditing/event-4625.md)
|
||||
|
||||
@ -35,8 +35,6 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
|
||||
|
||||
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
@ -47,6 +45,9 @@ This can only be done in Group Policy.
|
||||
|
||||
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
|
||||
|
||||
> [!NOTE]
|
||||
> This can only be done in Group Policy.
|
||||
|
||||
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
|
||||
|
||||
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
|
||||
@ -58,5 +59,7 @@ This can only be done in Group Policy.
|
||||
|
||||
7. Select **OK** after you configure each setting to save your changes.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
|
||||
To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
|
||||
|
||||
@ -49,7 +49,7 @@ Windows Sandbox has the following properties:
|
||||
- If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
|
||||
|
||||
```powershell
|
||||
Set-VMProcessor -VMName \<VMName> -ExposeVirtualizationExtensions $true
|
||||
Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
|
||||
```
|
||||
|
||||
3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
|
||||
@ -57,7 +57,11 @@ Windows Sandbox has the following properties:
|
||||
If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
|
||||
|
||||
> [!NOTE]
|
||||
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**.
|
||||
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
|
||||
>
|
||||
> ```powershell
|
||||
> Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
|
||||
> ```
|
||||
|
||||
4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ ms.date: 12/31/2017
|
||||
---
|
||||
|
||||
# Zero Trust and Windows device health
|
||||
Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments.
|
||||
Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps address today's complex environments.
|
||||
|
||||
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
|
||||
|
||||
|
||||
@ -286,9 +286,12 @@ One of the things we’ve heard from you is that it’s hard to know when you’
|
||||
|
||||
## Remote Desktop with Biometrics
|
||||
|
||||
Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
|
||||
Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.
|
||||
Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.
|
||||
|
||||
To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
|
||||
Azure Active Directory and Active Directory users using Windows Hello for Business in a certificate trust model, can use biometrics to authenticate to a remote desktop session.
|
||||
|
||||
To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the device you want to connect to, and select **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. Windows uses biometrics to authenticate the RDP session to the Windows device. You can continue to use Windows Hello for Business in the remote session, but in the remote session you must use the PIN.
|
||||
|
||||
See the following example:
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user