From 904909a5dcc685b7b0cc9b87ccfdebc9b69d751e Mon Sep 17 00:00:00 2001 From: Mohammed Tanveer Date: Thu, 8 Feb 2024 11:29:19 +0530 Subject: [PATCH 01/11] Update applications-that-can-bypass-wdac.md Included dbgsrv.exe to the ruleset that was missing & a known WDAC bypass. --- .../design/applications-that-can-bypass-wdac.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md index bcce7c5578..1fc600cfee 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md @@ -57,6 +57,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - wsl.exe - wslconfig.exe - wslhost.exe +- dbgsrv.exe 1 A vulnerability in bginfo.exe was fixed in version 4.22. If you use BGInfo, for security, make sure to download and run the latest version of [BGInfo](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. @@ -136,6 +137,7 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and + From 60e1bd1a4213aa1bdbdd0b3abe862b2f4ac8ef37 Mon Sep 17 00:00:00 2001 From: Mohammed Tanveer Date: Tue, 27 Feb 2024 18:56:34 +0530 Subject: [PATCH 02/11] Update applications-that-can-bypass-wdac.md Sorted list alphabetically & included an RuleID for scenario as well. --- .../design/applications-that-can-bypass-wdac.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md index 1fc600cfee..008ae3d8ea 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md @@ -26,6 +26,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - csi.exe - dbghost.exe - dbgsvc.exe +- dbgsrv.exe - dnx.exe - dotnet.exe - fsi.exe @@ -57,7 +58,6 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - wsl.exe - wslconfig.exe - wslhost.exe -- dbgsrv.exe 1 A vulnerability in bginfo.exe was fixed in version 4.22. If you use BGInfo, for security, make sure to download and run the latest version of [BGInfo](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. @@ -137,7 +137,6 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and - @@ -145,6 +144,7 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and + @@ -856,6 +856,7 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and + From 34e0d0d87b40e60013968aa9ad46eab0ffc4502d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 12 Mar 2024 08:02:07 -0400 Subject: [PATCH 03/11] Refactor code to improve performance and readability --- windows/security/index.yml | 250 +++++++++++++++---------------------- 1 file changed, 103 insertions(+), 147 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 8f543bcde6..2ebd57c1ef 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,167 +1,123 @@ -### YamlMime:Hub +### YamlMime:Landing title: Windows client security documentation summary: Learn how to secure Windows clients for your organization. -brand: windows metadata: - ms.topic: hub-page + ms.topic: landing-page ms.collection: - tier1 - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz - ms.date: 09/18/2023 + ms.date: 03/12/2024 -highlightedContent: - items: - - title: Get started with Windows security - itemType: get-started - url: introduction.md - - title: Windows 11, version 22H2 - itemType: whats-new - url: /windows/whats-new/whats-new-windows-11-version-22H2 - - title: Advance your security posture with Microsoft Intune from chip to cloud - itemType: learn - url: https://learn.microsoft.com/training/modules/m365-advance-organization-security-posture/ - - title: Security features licensing and edition requirements - itemType: overview - url: /windows/security/licensing-and-edition-requirements +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new +landingContent: -productDirectory: - title: Get started - items: + - title: Learn about hardware security + linkLists: + - linkListType: overview + links: + - text: Trusted Platform Module + url: /windows/security/hardware-security/tpm/trusted-platform-module-overview + - text: Microsoft Pluton + url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor + - text: Windows Defender System Guard + url: /windows-hardware/design/device-experiences/oem-vbs + - text: Virtualization-based security (VBS) + url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows + - text: Secured-core PC + url: /windows-hardware/design/device-experiences/oem-highly-secure-11 - - title: Hardware security - imageSrc: /media/common/i_usb.svg - links: - - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview - text: Trusted Platform Module - - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor - text: Microsoft Pluton - - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows - text: Windows Defender System Guard - - url: /windows-hardware/design/device-experiences/oem-vbs - text: Virtualization-based security (VBS) - - url: /windows-hardware/design/device-experiences/oem-highly-secure-11 - text: Secured-core PC - - url: /windows/security/hardware-security - text: Learn more about hardware security > + - title: Learn about OS security + linkLists: + - linkListType: overview + links: + - text: Trusted boot + url: /windows/security/operating-system-security + - text: Windows security settings + url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center + - text: BitLocker + url: /windows/security/operating-system-security/data-protection/bitlocker/ + - text: Windows security baselines + url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines + - text: Microsoft Defender SmartScreen + url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ - - title: OS security - imageSrc: /media/common/i_threat-protection.svg - links: - - url: /windows/security/operating-system-security - text: Trusted boot - - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center - text: Windows security settings - - url: /windows/security/operating-system-security/data-protection/bitlocker/ - text: BitLocker - - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines - text: Windows security baselines - - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ - text: Microsoft Defender SmartScreen - - url: /windows/security/operating-system-security - text: Learn more about OS security > + - title: Learn about hardware security + linkLists: + - linkListType: overview + links: + - text: Trusted Platform Module + url: /windows/security/hardware-security/tpm/trusted-platform-module-overview + - text: Microsoft Pluton + url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor + - text: Windows Defender System Guard + url: /windows-hardware/design/device-experiences/oem-vbs + - text: Virtualization-based security (VBS) + url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows + - text: Secured-core PC + url: /windows-hardware/design/device-experiences/oem-highly-secure-11 - - title: Identity protection - imageSrc: /media/common/i_identity-protection.svg - links: - - url: /windows/security/identity-protection/hello-for-business - text: Windows Hello for Business - - url: /windows/security/identity-protection/passwordless-experience - text: Windows passwordless experience - - url: /windows/security/identity-protection/web-sign-in - text: Web sign-in for Windows - - url: /windows/security/identity-protection/passkeys - text: Support for passkeys in Windows - - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection - text: Enhanced phishing protection with SmartScreen - - url: /windows/security/identity-protection - text: Learn more about identity protection > + - title: Learn about identity protection + linkLists: + - linkListType: overview + links: + - text: Windows Hello for Business + url: /windows/security/identity-protection/hello-for-business + - text: Windows passwordless experience + url: /windows/security/identity-protection/passwordless-experience + - text: Web sign-in for Windows + url: /windows/security/identity-protection/web-sign-in + - text: Support for passkeys in Windows + url: /windows/security/identity-protection/passkeys + - text: Enhanced phishing protection with SmartScreen + url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection - - title: Application security - imageSrc: /media/common/i_queries.svg - links: - - url: /windows/security/application-security/application-control/windows-defender-application-control/ - text: Windows Defender Application Control (WDAC) - - url: /windows/security/application-security/application-control/user-account-control - text: User Account Control (UAC) - - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules - text: Microsoft vulnerable driver blocklist - - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview - text: Microsoft Defender Application Guard (MDAG) - - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview - text: Windows Sandbox - - url: /windows/security/application-security - text: Learn more about application security > + - title: Learn about application security + linkLists: + - linkListType: overview + links: + - text: Windows Defender Application Control (WDAC) + url: /windows/security/application-security/application-control/windows-defender-application-control/ + - text: User Account Control (UAC) + url: /windows/security/application-security/application-control/user-account-control + - text: Microsoft vulnerable driver blocklist + url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules + - text: Microsoft Defender Application Guard (MDAG) + url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + - text: Windows Sandbox + url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview - - title: Security foundations - imageSrc: /media/common/i_build.svg - links: - - url: /windows/security/security-foundations/certification/fips-140-validation - text: FIPS 140-2 validation - - url: /windows/security/security-foundations/certification/windows-platform-common-criteria - text: Common Criteria Certifications - - url: /windows/security/security-foundations/msft-security-dev-lifecycle - text: Microsoft Security Development Lifecycle (SDL) - - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview - text: Microsoft Windows Insider Preview bounty program - - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ - text: OneFuzz service - - url: /windows/security/security-foundations - text: Learn more about security foundations > + - title: Learn about security foundations + linkLists: + - linkListType: overview + links: + - text: FIPS 140-2 validation + url: /windows/security/security-foundations/certification/fips-140-validation + - text: Common Criteria Certifications + url: /windows/security/security-foundations/certification/windows-platform-common-criteria + - text: Microsoft Security Development Lifecycle (SDL) + url: /windows/security/security-foundations/msft-security-dev-lifecycle + - text: Microsoft Windows Insider Preview bounty program + url: https://www.microsoft.com/msrc/bounty-windows-insider-preview + - text: OneFuzz service + url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ - - title: Cloud security - imageSrc: /media/common/i_cloud-security.svg - links: - - url: /mem/intune/protect/security-baselines - text: Security baselines with Intune - - url: /windows/deployment/windows-autopatch - text: Windows Autopatch - - url: /windows/deployment/windows-autopilot - text: Windows Autopilot - - url: /universal-print - text: Universal Print - - url: /windows/client-management/mdm/remotewipe-csp - text: Remote wipe - - url: /windows/security/cloud-security - text: Learn more about cloud security > - -additionalContent: - sections: - - title: More Windows resources - items: - - - title: Windows Server - links: - - text: Windows Server documentation - url: /windows-server - - text: What's new in Windows Server 2022? - url: /windows-server/get-started/whats-new-in-windows-server-2022 - - text: Windows Server blog - url: https://cloudblogs.microsoft.com/windowsserver/ - - - title: Windows product site and blogs - links: - - text: Find out how Windows enables your business to do more - url: https://www.microsoft.com/microsoft-365/windows - - text: Windows blogs - url: https://blogs.windows.com/ - - text: Windows IT Pro blog - url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog - - text: Microsoft Intune blog - url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog - - text: "Windows help & learning: end-user documentation" - url: https://support.microsoft.com/windows - - - title: Participate in the community - links: - - text: Windows community - url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10 - - text: Microsoft Intune community - url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune - - text: Microsoft Support community - url: https://answers.microsoft.com/windows/forum \ No newline at end of file + - title: Learn about cloud security + linkLists: + - linkListType: overview + links: + - text: Security baselines with Intune + url: /mem/intune/protect/security-baselines + - text: Windows Autopatch + url: /windows/deployment/windows-autopatch + - text: Windows Autopilot + url: /windows/deployment/windows-autopilot + - text: Universal Print + url: /universal-print + - text: Remote wipe + url: /windows/client-management/mdm/remotewipe-csp \ No newline at end of file From 53f2c8f8145f97f9094529c414e34f657f5044b6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 12 Mar 2024 09:07:47 -0400 Subject: [PATCH 04/11] Update links in index.yml for Windows security --- windows/security/index.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 2ebd57c1ef..bc492de09f 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -21,7 +21,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Trusted Platform Module + - text: Trusted Platform Module (TPM) url: /windows/security/hardware-security/tpm/trusted-platform-module-overview - text: Microsoft Pluton url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor @@ -42,10 +42,30 @@ landingContent: url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center - text: BitLocker url: /windows/security/operating-system-security/data-protection/bitlocker/ + - text: Personal Data Encryption (PDE) + url: /windows/security/operating-system-security/data-protection/personal-data-encryption - text: Windows security baselines url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines - text: Microsoft Defender SmartScreen url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ + - text: Windows Firewall + url: /windows/security/operating-system-security/network-security/windows-firewall/ + - linkListType: architecture + links: + - text: BitLocker planning guide + url: /windows/security/operating-system-security/data-protection/bitlocker/planning-guide + - linkListType: how-to-guide + links: + - text: Configure BitLocker + url: /windows/security/operating-system-security/data-protection/bitlocker/configure + - text: Configure PDE + url: /windows/security/operating-system-security/data-protection/personal-data-encryption/configure + - linkListType: whats-new + links: + - text: Hyper-V firewall + url: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall + + - title: Learn about hardware security linkLists: From 9e7be4cb49b69961fab0e5d4beb6663ba03f8c02 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 12 Mar 2024 09:27:29 -0400 Subject: [PATCH 05/11] Update links for identity protection and add new links for passwordless strategy and FIDO2 security keys --- windows/security/index.yml | 51 ++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index bc492de09f..1d95b08ba2 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -65,37 +65,38 @@ landingContent: - text: Hyper-V firewall url: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall - - - - title: Learn about hardware security - linkLists: - - linkListType: overview - links: - - text: Trusted Platform Module - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview - - text: Microsoft Pluton - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor - - text: Windows Defender System Guard - url: /windows-hardware/design/device-experiences/oem-vbs - - text: Virtualization-based security (VBS) - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows - - text: Secured-core PC - url: /windows-hardware/design/device-experiences/oem-highly-secure-11 - - title: Learn about identity protection linkLists: - linkListType: overview links: + - text: Passwordless strategy + url: /windows/security/identity-protection/passwordless-strategy - text: Windows Hello for Business url: /windows/security/identity-protection/hello-for-business - text: Windows passwordless experience url: /windows/security/identity-protection/passwordless-experience - text: Web sign-in for Windows url: /windows/security/identity-protection/web-sign-in - - text: Support for passkeys in Windows + - text: Passkeys url: /windows/security/identity-protection/passkeys + - text: FIDO2 security keys + url: /azure/active-directory/authentication/howto-authentication-passwordless-security-key - text: Enhanced phishing protection with SmartScreen url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection + - linkListType: how-to-guide + links: + - text: Configure PIN reset + url: /windows/security/identity-protection/hello-for-business/pin-reset + - text: RDP sign-in with Windows Hello for Business + url: /windows/security/identity-protection/hello-for-business/rdp-sign-in + - linkListType: architecture + links: + - text: Plan a Windows Hello for Business deployment + url: /windows/security/identity-protection/hello-for-business/deploy/ + - linkListType: deploy + links: + - text: Cloud Kerberos trust deployment guide + url: /windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust - title: Learn about application security linkLists: @@ -111,12 +112,18 @@ landingContent: url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview - text: Windows Sandbox url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview + - linkListType: how-to-guide + links: + - text: Configure Windows Sandbox + url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file - title: Learn about security foundations linkLists: - linkListType: overview links: - - text: FIPS 140-2 validation + - text: Zero trust + url: /windows/security/security-foundations/zero-trust-windows-device-health + - text: FIPS 140 validation url: /windows/security/security-foundations/certification/fips-140-validation - text: Common Criteria Certifications url: /windows/security/security-foundations/certification/windows-platform-common-criteria @@ -126,6 +133,12 @@ landingContent: url: https://www.microsoft.com/msrc/bounty-windows-insider-preview - text: OneFuzz service url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ + - linkListType: whats-new + links: + - text: Completed FIPS validations - Windows 11 + url: windows/security/security-foundations/certification/validations/fips-140-windows11 + - text: Completed CC certifications - Windows 11 + url: /windows/security/security-foundations/certification/validations/cc-windows11 - title: Learn about cloud security linkLists: From e12737e46aa5a1d0c7d2f61f263b6ddf746a3c71 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 12 Mar 2024 09:32:13 -0400 Subject: [PATCH 06/11] Update Windows security documentation --- windows/security/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 1d95b08ba2..8f9f85d43b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing -title: Windows client security documentation -summary: Learn how to secure Windows clients for your organization. +title: Windows security documentation +summary: Windows is designed with zero-trust principles at its core, offering powerful security from chip to cloud. As organizations embrace hybrid work environments, the need for robust security solutions becomes paramount. Windows integrates advanced hardware and software protection, ensuring data integrity and access control across devices. Learn about the different security features included in Windows. metadata: ms.topic: landing-page From c5ebf8469623e8a4808c528cf69962e5be017eaa Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 12 Mar 2024 09:33:55 -0400 Subject: [PATCH 07/11] Fix broken URLs in security index.yml --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 8f9f85d43b..afb32d0f77 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -136,7 +136,7 @@ landingContent: - linkListType: whats-new links: - text: Completed FIPS validations - Windows 11 - url: windows/security/security-foundations/certification/validations/fips-140-windows11 + url: /windows/security/security-foundations/certification/validations/fips-140-windows11 - text: Completed CC certifications - Windows 11 url: /windows/security/security-foundations/certification/validations/cc-windows11 From fcee364dc4c2c0e583aed94e8dac44b18521cebb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 12 Mar 2024 11:58:07 -0400 Subject: [PATCH 08/11] Freshness review for Windows Security Identity Protection content. --- .../enterprise-certificate-pinning.md | 24 +++++++++---------- .../hello-for-business/deploy/cloud-only.md | 6 ++--- .../deploy/hybrid-cert-trust-adfs.md | 4 ++-- .../deploy/hybrid-cert-trust-enroll.md | 2 +- .../deploy/hybrid-cert-trust-pki.md | 2 +- .../deploy/hybrid-cert-trust.md | 4 ++-- .../deploy/hybrid-cloud-kerberos-trust.md | 2 +- .../deploy/hybrid-key-trust-enroll.md | 2 +- .../deploy/hybrid-key-trust.md | 2 +- .../hello-for-business/deploy/index.md | 4 ++-- .../deploy/on-premises-cert-trust-adfs.md | 2 +- .../deploy/on-premises-cert-trust-enroll.md | 2 +- .../deploy/on-premises-cert-trust.md | 2 +- .../deploy/on-premises-key-trust-adfs.md | 2 +- .../deploy/on-premises-key-trust-enroll.md | 2 +- .../deploy/on-premises-key-trust.md | 2 +- .../deploy/prepare-users.md | 2 +- .../hello-deployment-issues.md | 2 +- .../hello-errors-during-pin-creation.md | 2 +- ...on-of-emulated-smart-card-for-all-users.md | 2 +- .../configure-device-unlock-factors.md | 2 +- .../configure-dynamic-lock-factors.md | 2 +- .../configure-enhanced-anti-spoofing.md | 2 +- .../enable-ess-with-supported-peripherals.md | 2 +- .../hello-for-business/includes/expiration.md | 2 +- .../hello-for-business/includes/history.md | 2 +- .../includes/maximum-pin-length.md | 2 +- .../includes/minimum-pin-length.md | 2 +- .../includes/require-digits.md | 2 +- .../includes/require-lowercase-letters.md | 2 +- .../includes/require-special-characters.md | 2 +- .../includes/require-uppercase-letters.md | 2 +- .../includes/turn-off-smart-card-emulation.md | 2 +- .../use-a-hardware-security-device.md | 2 +- .../includes/use-biometrics.md | 2 +- ...tificate-for-on-premises-authentication.md | 2 +- ...ud-trust-for-on-premises-authentication.md | 2 +- .../includes/use-pin-recovery.md | 2 +- ...certificates-as-smart-card-certificates.md | 2 +- .../use-windows-hello-for-business.md | 2 +- windows/security/identity-protection/index.md | 2 +- .../passwordless-experience/index.md | 6 ++--- .../remote-credential-guard.md | 2 +- .../identity-protection/web-sign-in/index.md | 12 +++++----- 44 files changed, 67 insertions(+), 67 deletions(-) diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index e384f47efe..55551c53ca 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -2,7 +2,7 @@ title: Enterprise certificate pinning description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name. ms.topic: concept-article -ms.date: 05/24/2023 +ms.date: 03/12/2024 --- # Enterprise certificate pinning overview @@ -29,7 +29,7 @@ To deploy enterprise certificate pinning, you need to: - Apply the pin rules certificate trust list file to a reference administrative computer - Deploy the registry configuration on the reference computer via group policy -### Create a pin rules XML file +### Create a pin rules XML file The XML-based pin rules file consists of a sequence of PinRule elements. Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements. @@ -61,12 +61,12 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ #### PinRules element The PinRules element can have the following attributes. -For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml) or [Represent a duration in XML](#represent-a-duration-in-xml). +For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml) or [Represent a duration in XML](#represent-a-duration-in-xml). | Attribute | Description | Required | |-----------|-------------|----------| | **Duration** or **NextUpdate** | Specifies when the Pin Rules expires. Either is required. **NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC. | **Required?** Yes. At least one is required. | -| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which doesn't allow years and months.
If `none of the attributes are specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | +| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which doesn't allow years and months.
If `none of the attributes are specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | | **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows doesn't use this attribute for certificate pinning enforcement; however, it's included when the pin rules are converted to a certificate trust list (CTL). | No. | #### PinRule element @@ -86,7 +86,7 @@ The **Certificate** element can have the following attributes. | Attribute | Description | Required | |-----------|-------------|----------| | **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). | -| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). | +| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). | | **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). | | **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.
If the current time is past the **EndDate**, when creating the certificate trust list (CTL) the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml).| No.| @@ -138,8 +138,8 @@ certutil -generatePinRulesCTL certPinRules.xml pinrules.stl ### Apply certificate pinning rules to a reference computer -Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise. -To simplify the deployment configuration, it's best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) included in the Remote Server Administration Tools (RSAT). +Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise. +To simplify the deployment configuration, it's best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) included in the Remote Server Administration Tools (RSAT). Use *certutil.exe* to apply your certificate pinning rules to your reference computer using the *setreg* argument.\ The *setreg* argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.\ @@ -148,7 +148,7 @@ The last argument you provide is the name of file that contains your certificate You pass the name of the file as the last argument. You must prefix the file name with the `@` symbol as in the following example: ```cmd -Certutil -setreg chain\PinRules @pinrules.stl +Certutil -setreg chain\PinRules @pinrules.stl ``` > [!NOTE] @@ -215,7 +215,7 @@ You can run the following commands from an elevated command prompt to achieve th set PinRulesLogDir=c:\PinRulesLog mkdir %PinRulesLogDir% icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F) -icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F) +icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F) icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F) icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L ``` @@ -233,7 +233,7 @@ For example: - `DE28F4A4_www.yammer.com.p7b` If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. -If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. +If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. ## Represent a date in XML @@ -244,7 +244,7 @@ You can then copy and paste the output of the cmdlet into the XML file. ![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png) -For simplicity, you can truncate decimal point (.) and the numbers after it. +For simplicity, you can truncate decimal point (.) and the numbers after it. However, be certain to append the uppercase "Z" to the end of the XML date string. ```cmd @@ -268,7 +268,7 @@ You can use Windows PowerShell to properly format and validate durations (timesp ## Convert an XML duration -You can convert an XML formatted timespan into a timespan variable that you can read. +You can convert an XML formatted timespan into a timespan variable that you can read. ![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png) diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md index 475b2dc597..d7e4822aaa 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md +++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md @@ -1,8 +1,8 @@ --- title: Windows Hello for Business cloud-only deployment guide description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario. -ms.date: 01/03/2024 -ms.topic: how-to +ms.date: 03/12/2024 +ms.topic: tutorial --- # Cloud-only deployment guide @@ -32,7 +32,7 @@ When you Microsoft Entra join a device, the system attempts to automatically enr Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no other MFA configuration needed. If you aren't already registered in MFA, you're guided through the MFA registration as part of the Windows Hello for Business enrollment process. -Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are +Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are typically configured via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1]. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md index 447f1f5c55..94167d36b9 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in a hybrid certificate trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- @@ -21,7 +21,7 @@ The CRA enrolls for an *enrollment agent certificate*, and the Windows Hello for Sign-in the AD FS server with *domain administrator* equivalent credentials. Open a **Windows PowerShell** prompt and type the following command: - + ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true ``` diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md index 2bc061e33b..2891e83911 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md @@ -1,7 +1,7 @@ --- title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md index 85dd13860f..35d1ff0083 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md @@ -1,7 +1,7 @@ --- title: Configure and validate the PKI in an hybrid certificate trust model description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md index 3fcb86b928..58e8cc3e3d 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid certificate trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- @@ -28,7 +28,7 @@ ms.topic: tutorial > Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: > > - [Configure and validate the Public Key Infrastructure](hybrid-cert-trust-pki.md) -> - [Configure Active Directory Federation Services](hybrid-cert-trust-adfs.md) +> - [Configure Active Directory Federation Services](hybrid-cert-trust-adfs.md) > - [Configure and enroll in Windows Hello for Business](hybrid-cert-trust-enroll.md) > - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index 1c67b375b7..9af88ba3bf 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud Kerberos trust deployment guide description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md index a1686099b6..62f5d4401e 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md @@ -1,7 +1,7 @@ --- title: Configure and enroll in Windows Hello for Business in a hybrid key trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario. -ms.date: 12/29/2023 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index e5a08f2117..1702fec969 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid key trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md index 061c4a62e1..2658692d35 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/index.md +++ b/windows/security/identity-protection/hello-for-business/deploy/index.md @@ -1,8 +1,8 @@ --- title: Plan a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.date: 01/02/2024 -ms.topic: overview +ms.date: 03/12/2024 +ms.topic: concept-article --- # Plan a Windows Hello for Business deployment diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 335e4d5cb6..aef4f4fe35 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in an on-premises certificate trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md index 045a6ba24c..f856919e78 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md @@ -1,5 +1,5 @@ --- -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md index 6bd1a94800..92ee0befff 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business on-premises certificate trust deployment guide description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md index 12685b46eb..8621f73740 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in an on-premises key trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md index 442ead237c..34f55f78f3 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md @@ -1,5 +1,5 @@ --- -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial title: Configure Windows Hello for Business Policy settings in an on-premises key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md index a5a2281196..0b7ef9d9a3 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business on-premises key trust deployment guide description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario. -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md index 9dbdfc8a07..0aeded8941 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md +++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md @@ -1,7 +1,7 @@ --- title: Prepare users to provision and use Windows Hello for Business description: Learn how to prepare users to enroll and to use Windows Hello for Business. -ms.date: 01/02/2024 +ms.date: 03/12/2024 ms.topic: end-user-help --- diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index a1df8320f4..f2f8fca79a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business known deployment issues description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues. -ms.date: 06/02/2023 +ms.date: 03/12/2024 ms.topic: troubleshooting --- diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 2c3b021381..4094dc96ad 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -2,7 +2,7 @@ title: Windows Hello errors during PIN creation description: When you set up Windows Hello, you may get an error during the Create a work PIN step. ms.topic: troubleshooting -ms.date: 01/26/2024 +ms.date: 03/12/2024 --- # Windows Hello errors during PIN creation diff --git a/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md b/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md index 9157046e94..52db564aea 100644 --- a/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md +++ b/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md b/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md index 23a614db9d..47e1022638 100644 --- a/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md +++ b/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md b/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md index 4cd7b376f1..1b5068c34f 100644 --- a/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md +++ b/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md b/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md index 057da41f74..5256533b74 100644 --- a/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md +++ b/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md b/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md index d5308cbb87..95e830989d 100644 --- a/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md +++ b/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md index 6d5e71de6c..f73356aa04 100644 --- a/windows/security/identity-protection/hello-for-business/includes/expiration.md +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md index f172d6e9f6..3aad27181a 100644 --- a/windows/security/identity-protection/hello-for-business/includes/history.md +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md b/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md index 9ab86cb5f7..552a814af0 100644 --- a/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md +++ b/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md b/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md index ba9b806c2b..6af211532d 100644 --- a/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md +++ b/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/require-digits.md b/windows/security/identity-protection/hello-for-business/includes/require-digits.md index e2ca5a2621..148606301d 100644 --- a/windows/security/identity-protection/hello-for-business/includes/require-digits.md +++ b/windows/security/identity-protection/hello-for-business/includes/require-digits.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md b/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md index b84ed743ee..6548a94ede 100644 --- a/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md +++ b/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md b/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md index deeb7f56e4..944b7caa4f 100644 --- a/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md +++ b/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md b/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md index b90cda9fa3..cd988bb6f7 100644 --- a/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md +++ b/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md b/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md index 502e1d18f1..8491027950 100644 --- a/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md +++ b/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md b/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md index 3dfb45f8ba..018d2f1834 100644 --- a/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md +++ b/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md b/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md index 761017763f..e21ef5fc23 100644 --- a/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md +++ b/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md b/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md index 78c1064fbe..4b7546777c 100644 --- a/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md +++ b/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md b/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md index 77b3878741..03e75dd008 100644 --- a/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md +++ b/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md index 8f28f8f8d1..fad4f27fef 100644 --- a/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md +++ b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md index 2d3b0707f3..d57a3d459a 100644 --- a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md +++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md index 9278bcd9ef..3836251029 100644 --- a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md +++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 01/03/2024 +ms.date: 03/12/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index c624632fcc..b9dc9037e7 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -2,7 +2,7 @@ title: Windows identity protection description: Learn more about identity protection technologies in Windows. ms.topic: overview -ms.date: 07/27/2023 +ms.date: 03/12/2024 --- # Windows identity protection diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md index 37dc49c775..2301f86f81 100644 --- a/windows/security/identity-protection/passwordless-experience/index.md +++ b/windows/security/identity-protection/passwordless-experience/index.md @@ -1,9 +1,9 @@ --- title: Windows passwordless experience description: Learn how Windows passwordless experience enables your organization to move away from passwords. -ms.collection: +ms.collection: - tier1 -ms.date: 09/27/2023 +ms.date: 03/12/2024 ms.topic: how-to appliesto: - ✅ Windows 11 @@ -19,7 +19,7 @@ With Windows passwordless experience, users who sign in with Windows Hello or a - Can't use the password credential provider on the Windows lock screen - Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.) - Don't have the option *Accounts > Change password* in the Settings app - + >[!NOTE] >Users can reset their password using CTRL+ALT+DEL > **Manage your account** diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index dc9d66ddbd..4461530e2b 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -2,7 +2,7 @@ title: Remote Credential Guard description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. ms.topic: how-to -ms.date: 12/08/2023 +ms.date: 03/12/2024 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md index f4d5ddb8ce..611d67876f 100644 --- a/windows/security/identity-protection/web-sign-in/index.md +++ b/windows/security/identity-protection/web-sign-in/index.md @@ -1,7 +1,7 @@ --- title: Web sign-in for Windows description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it. -ms.date: 12/11/2023 +ms.date: 03/12/2023 ms.topic: how-to appliesto: - ✅ Windows 11 @@ -11,8 +11,8 @@ ms.collection: # Web sign-in for Windows -Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities. -This feature is called *Web sign-in*. +Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices. +This feature is called *Web sign-in*, and it unlocks new sign-in options and capabilities. Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded.\ For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity. @@ -21,11 +21,11 @@ This article describes how to configure Web sign-in and the supported key scenar ## System requirements -To use web sign-in, the clients must meet the following prerequisites: +Here are the prerequisites for using Web sign-in: - Windows 11, version 22H2 with [5030310][KB-1], or later -- Must be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join) -- Must have Internet connectivity, as the authentication is done over the Internet +- [Microsoft Entra joined](/entra/identity/devices/concept-directory-join) +- Internet connectivity, as the authentication is done over the Internet > [!IMPORTANT] > Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices. From f9520b845f654b4cfc999716aa60bc26fbfbe094 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 12 Mar 2024 12:05:21 -0400 Subject: [PATCH 09/11] Update ms.date in identity-protection files --- .../hello-errors-during-pin-creation.md | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 4094dc96ad..5d189e1746 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -7,7 +7,7 @@ ms.date: 03/12/2024 # Windows Hello errors during PIN creation -When you set up Windows Hello in Windows client, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. +When you set up Windows Hello in Windows client, you may get an error during the **Create a PIN** step. This article lists some of the error codes with recommendations for mitigating the problem. If you get an error code that isn't listed here, contact Microsoft Support. ## Where is the error code? @@ -24,41 +24,41 @@ When a user encounters an error when creating the work PIN, advise the user to t 3. Reboot the device and then try to create the PIN again. 4. Unjoin the device from Microsoft Entra ID, rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**. -If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. +If the error occurs again, check the error code against the following table to see if there's another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. | Hex | Cause | Mitigation | | :--------- | :----------------------------------------------------------------- | :------------------------------------------ | | 0x80090005 | NTE_BAD_DATA | Unjoin the device from Microsoft Entra ID and rejoin. | | 0x8009000F | The container or key already exists. | Unjoin the device from Microsoft Entra ID and rejoin. | -| 0x80090011 | The container or key was not found. | Unjoin the device from Microsoft Entra ID and rejoin. | -| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | +| 0x80090011 | The container or key wasn't found. | Unjoin the device from Microsoft Entra ID and rejoin. | +| 0x80090029 | TPM isn't set up. | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | | 0x8009002A | NTE_NO_MEMORY | Close programs which are taking up memory and try again. | | 0x80090031 | NTE_AUTHENTICATION_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). | -| 0x80090035 | Policy requires TPM and the device does not have TPM. | Change the Windows Hello for Business policy to not require a TPM. | -| 0x80090036 | User canceled an interactive dialog. | User will be asked to try again. | -| 0x801C0003 | User is not authorized to enroll. | Check if the user has permission to perform the operation​. | +| 0x80090035 | Policy requires TPM and the device doesn't have TPM. | Change the Windows Hello for Business policy to not require a TPM. | +| 0x80090036 | User canceled an interactive dialog. | User is asked to try again. | +| 0x801C0003 | User isn't authorized to enroll. | Check if the user has permission to perform the operation​. | | 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). | | 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. | -| 0x801C0010 | The AIK certificate is not valid or trusted. | Sign out and then sign in again. | +| 0x801C0010 | The AIK certificate isn't valid or trusted. | Sign out and then sign in again. | | 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. | -| 0x801C0012 | Discovery request is not in a valid format. | Sign out and then sign in again. | +| 0x801C0012 | Discovery request isn't in a valid format. | Sign out and then sign in again. | | 0x801C0015 | The device is required to be joined to an Active Directory domain. | Join the device to an Active Directory domain. | -| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. | -| 0x801C0017 | The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. | +| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file isn't empty. | +| 0x801C0017 | The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element isn't empty. | | 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. | | 0x801C03E9 | Server response message is invalid | Sign out and then sign in again. | | 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. | -| 0x801C03EB | Server response http status is not valid | Sign out and then sign in again. | +| 0x801C03EB | Server response http status isn't valid | Sign out and then sign in again. | | 0x801C03EC | Unhandled exception from server. | sign out and then sign in again. | -| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.

-or-

Token was not found in the Authorization header.

-or-

Failed to read one or more objects.

-or-

The request sent to the server was invalid.

-or-

User does not have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. +| 0x801C03ED | Multifactor authentication is required for a 'ProvisionKey' operation, but wasn't performed.

-or-

Token wasn't found in the Authorization header.

-or-

Failed to read one or more objects.

-or-

The request sent to the server was invalid.

-or-

User doesn't have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. | 0x801C03EE | Attestation failed. | Sign out and then sign in again. | | 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. | | 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address. -| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Microsoft Entra ID and rejoin. | +| 0x801C044D | Authorization token doesn't contain device ID. | Unjoin the device from Microsoft Entra ID and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | | 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| -| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.| +| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the sign in method. Most often the KDC service doesn't have the proper certificate to support the sign in. Another common cause can be the client can't verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation @@ -73,18 +73,18 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x80090020 | NTE_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | | 0x8009002D | NTE_INTERNAL_ERROR | -| 0x801C0001 | ADRS server response is not in a valid format. | +| 0x801C0001 | ADRS server response isn't in a valid format. | | 0x801C0002 | Server failed to authenticate the user. | | 0x801C0006 | Unhandled exception from server. | -| 0x801C000B | Redirection is needed and redirected location is not a well known server. | +| 0x801C000B | Redirection is needed and redirected location isn't a well known server. | | 0x801C000C | Discovery failed. | -| 0x801C0013 | Tenant ID is not found in the token. | -| 0x801C0014 | User SID is not found in the token. | +| 0x801C0013 | Tenant ID isn't found in the token. | +| 0x801C0014 | User SID isn't found in the token. | | 0x801C0019 | ​The federation provider client configuration is empty | | 0x801C001A | The DRS endpoint in the federation provider client configuration is empty. | -| 0x801C001B | ​The device certificate is not found. | -| 0x801C03F0 | ​There is no key registered for the user. | -| 0x801C03F1 | ​There is no UPN in the token. | -| ​0x801C044C | There is no core window for the current thread. | +| 0x801C001B | ​The device certificate isn't found. | +| 0x801C03F0 | ​There's no key registered for the user. | +| 0x801C03F1 | ​There's no UPN in the token. | +| ​0x801C044C | There's no core window for the current thread. | | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Microsoft Entra token for provisioning. Unable to enroll a device to use a PIN for login. | | 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. | From 592d61f9a94087039be7f7826767c27459ab33de Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 12 Mar 2024 12:10:12 -0700 Subject: [PATCH 10/11] remove test row --- windows/deployment/update/wufb-reports-schema-ucclient.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index b4c113ef71..020719d053 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -11,7 +11,7 @@ manager: aaroncz appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 12/06/2023 +ms.date: 03/12/2024 --- # UCClient @@ -35,7 +35,6 @@ UCClient acts as an individual device's record. It contains data such as the cur | **IsVirtual** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `Yes, No` | Whether device is a virtual device. | | **LastCensusScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. | | **LastWUScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. | -| **NewTest_CF [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. | | **OSArchitecture** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `x86` | The architecture of the operating system (not the device) this device is currently on. | | **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision | | **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `22621` | The major build number, in int format, the device is using. | From da6497c8cbb1dd95862ee18fb3bc884c4932f116 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 12 Mar 2024 12:15:56 -0700 Subject: [PATCH 11/11] remove test row --- .../update/wufb-reports-schema-ucclient.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index 020719d053..993c45e682 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -61,18 +61,18 @@ UCClient acts as an individual device's record. It contains data such as the cur | **WUAutomaticUpdates** | | No | | Currently, data isn't gathered to populate this field. Manage automatic update behavior to scan, download, and install updates. | | **WUDeadlineNoAutoRestart** | | No | | Currently, data isn't gathered to populate this field. Devices won't automatically restart outside of active hours until the deadline is reached - It's 1 by default and indicates enabled, 0 indicates disabled | | **WUDODownloadMode** | | No | | Currently, data isn't gathered to populate this field. The Windows Update DO DownloadMode configuration. | -| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows Update feature update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | -| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: DeferFeatureUpdates. The Windows Update feature update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the policy setting. | -| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | -| **WUFeaturePauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause will end, if activated, else null. | +| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The feature update deadline configuration in days. -1 indicates not configured. 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | +| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: DeferFeatureUpdates. The feature update deferral configuration in days. -1 indicates not configured. 0 indicates configured but set to 0. Values > 0 indicate the policy setting. | +| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured. 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | +| **WUFeaturePauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause ends, if activated, else null. | | **WUFeaturePauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause was activated, if activated, else null. Feature updates are paused for 35 days from the specified start date. | | **WUFeaturePauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for feature updates. Possible values are Paused, NotPaused, NotConfigured. | -| **WUNotificationLevel** | | No | | Currently, data isn't gathered to populate this field. This policy allows you to define what Windows Update notifications users see. 0 (default) - Use the default Windows Update notifications. 1 - Turn off all notifications, excluding restart warnings. 2 - Turn off all notifications, including restart warnings | +| **WUNotificationLevel** | | No | | Currently, data isn't gathered to populate this field. This policy allows you to define what Windows Update notifications users see. 0 (default) - Use the default Windows Update notifications. 1 - Turn off all notifications, excluding restart warnings. 2 - Turn off all notifications, including restart warnings | | **WUPauseUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user can't access the Pause updates' feature. Supported values 0, 1. | -| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | -| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. | -| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | -| **WUQualityPauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- will end, if activated, else null. | +| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured. 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | +| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured. 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. | +| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured. 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | +| **WUQualityPauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time the quality update pause ends, if activated, else null. | | **WUQualityPauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- was activated; if activated; else null. | | **WUQualityPauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for quality updates. Possible values are Paused, NotPaused, NotConfigured. | | **WURestartNotification** | | No | | Currently, data isn't gathered to populate this field. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. The following list shows the supported values: 1 (default) = Auto Dismissal. 2 - User Dismissal. |