deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-8744759-store

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-03-12 15:47:34 -04:00
commit 3e1dc1e2fe
47 changed files with 219 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
windows/deployment/update/wufb-reports-schema-ucclient.md
View File

@ -11,7 +11,7 @@ manager: aaroncz
appliesto: appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/06/2023 ms.date: 03/12/2024
--- ---
# UCClient # UCClient
@ -35,7 +35,6 @@ UCClient acts as an individual device's record. It contains data such as the cur
| **IsVirtual** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `Yes, No` | Whether device is a virtual device. | | **IsVirtual** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `Yes, No` | Whether device is a virtual device. |
| **LastCensusScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. | | **LastCensusScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
| **LastWUScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. | | **LastWUScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. |
| **NewTest_CF [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. |
| **OSArchitecture** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `x86` | The architecture of the operating system (not the device) this device is currently on. | | **OSArchitecture** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `x86` | The architecture of the operating system (not the device) this device is currently on. |
| **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision | | **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision |
| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `22621` | The major build number, in int format, the device is using. | | **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `22621` | The major build number, in int format, the device is using. |
@ -62,18 +61,18 @@ UCClient acts as an individual device's record. It contains data such as the cur
| **WUAutomaticUpdates** | | No | | Currently, data isn't gathered to populate this field. Manage automatic update behavior to scan, download, and install updates. | | **WUAutomaticUpdates** | | No | | Currently, data isn't gathered to populate this field. Manage automatic update behavior to scan, download, and install updates. |
| **WUDeadlineNoAutoRestart** | | No | | Currently, data isn't gathered to populate this field. Devices won't automatically restart outside of active hours until the deadline is reached - It's 1 by default and indicates enabled, 0 indicates disabled | | **WUDeadlineNoAutoRestart** | | No | | Currently, data isn't gathered to populate this field. Devices won't automatically restart outside of active hours until the deadline is reached - It's 1 by default and indicates enabled, 0 indicates disabled |
| **WUDODownloadMode** | | No | | Currently, data isn't gathered to populate this field. The Windows Update DO DownloadMode configuration. | | **WUDODownloadMode** | | No | | Currently, data isn't gathered to populate this field. The Windows Update DO DownloadMode configuration. |
| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows Update feature update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | | **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The feature update deadline configuration in days. -1 indicates not configured. 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. |
| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: DeferFeatureUpdates. The Windows Update feature update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the policy setting. | | **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: DeferFeatureUpdates. The feature update deferral configuration in days. -1 indicates not configured. 0 indicates configured but set to 0. Values > 0 indicate the policy setting. |
| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | | **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured. 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. |
| **WUFeaturePauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause will end, if activated, else null. | | **WUFeaturePauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause ends, if activated, else null. |
| **WUFeaturePauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause was activated, if activated, else null. Feature updates are paused for 35 days from the specified start date. | | **WUFeaturePauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause was activated, if activated, else null. Feature updates are paused for 35 days from the specified start date. |
| **WUFeaturePauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for feature updates. Possible values are Paused, NotPaused, NotConfigured. | | **WUFeaturePauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for feature updates. Possible values are Paused, NotPaused, NotConfigured. |
| **WUNotificationLevel** | | No | | Currently, data isn't gathered to populate this field. This policy allows you to define what Windows Update notifications users see. 0 (default) - Use the default Windows Update notifications. 1 - Turn off all notifications, excluding restart warnings. 2 - Turn off all notifications, including restart warnings | | **WUNotificationLevel** | | No | | Currently, data isn't gathered to populate this field. This policy allows you to define what Windows Update notifications users see. 0 (default) - Use the default Windows Update notifications. 1 - Turn off all notifications, excluding restart warnings. 2 - Turn off all notifications, including restart warnings |
| **WUPauseUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user can't access the Pause updates' feature. Supported values 0, 1. | | **WUPauseUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user can't access the Pause updates' feature. Supported values 0, 1. |
| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | | **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured. 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. |
| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. | | **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured. 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. |
| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | | **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured. 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. |
| **WUQualityPauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- will end, if activated, else null. | | **WUQualityPauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time the quality update pause ends, if activated, else null. |
| **WUQualityPauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- was activated; if activated; else null. | | **WUQualityPauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- was activated; if activated; else null. |
| **WUQualityPauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for quality updates. Possible values are Paused, NotPaused, NotConfigured. | | **WUQualityPauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for quality updates. Possible values are Paused, NotPaused, NotConfigured. |
| **WURestartNotification** | | No | | Currently, data isn't gathered to populate this field. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. The following list shows the supported values: 1 (default) = Auto Dismissal. 2 - User Dismissal. | | **WURestartNotification** | | No | | Currently, data isn't gathered to populate this field. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. The following list shows the supported values: 1 (default) = Auto Dismissal. 2 - User Dismissal. |

3
windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
View File

@ -26,6 +26,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- csi.exe - csi.exe
- dbghost.exe - dbghost.exe
- dbgsvc.exe - dbgsvc.exe
- dbgsrv.exe
- dnx.exe - dnx.exe
- dotnet.exe - dotnet.exe
- fsi.exe - fsi.exe
@ -143,6 +144,7 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
<Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion="5.812.10240.0" /> <Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion="5.812.10240.0" />
<Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0" /> <Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0" />
<Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0" /> <Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0" />
<Deny ID="ID_DENY_DBGSRV" FriendlyName="dbgsrv.exe" FileName="dbgsrv.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" /> <Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" /> <Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" /> <Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
@ -854,6 +856,7 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
<FileRuleRef RuleID="ID_DENY_CSCRIPT" /> <FileRuleRef RuleID="ID_DENY_CSCRIPT" />
<FileRuleRef RuleID="ID_DENY_DBGHOST" /> <FileRuleRef RuleID="ID_DENY_DBGHOST" />
<FileRuleRef RuleID="ID_DENY_DBGSVC" /> <FileRuleRef RuleID="ID_DENY_DBGSVC" />
<FileRuleRef RuleID="ID_DENY_DBGSRV" />
<FileRuleRef RuleID="ID_DENY_DNX" /> <FileRuleRef RuleID="ID_DENY_DNX" />
<FileRuleRef RuleID="ID_DENY_DOTNET" /> <FileRuleRef RuleID="ID_DENY_DOTNET" />
<FileRuleRef RuleID="ID_DENY_FSI" /> <FileRuleRef RuleID="ID_DENY_FSI" />

24
windows/security/identity-protection/enterprise-certificate-pinning.md
View File

@ -2,7 +2,7 @@
title: Enterprise certificate pinning title: Enterprise certificate pinning
description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name. description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
ms.topic: concept-article ms.topic: concept-article
ms.date: 05/24/2023 ms.date: 03/12/2024
--- ---
# Enterprise certificate pinning overview # Enterprise certificate pinning overview
@ -29,7 +29,7 @@ To deploy enterprise certificate pinning, you need to:
- Apply the pin rules certificate trust list file to a reference administrative computer - Apply the pin rules certificate trust list file to a reference administrative computer
- Deploy the registry configuration on the reference computer via group policy - Deploy the registry configuration on the reference computer via group policy
### Create a pin rules XML file ### Create a pin rules XML file
The XML-based pin rules file consists of a sequence of PinRule elements. The XML-based pin rules file consists of a sequence of PinRule elements.
Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements. Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements.
@ -61,12 +61,12 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ
#### PinRules element #### PinRules element
The PinRules element can have the following attributes. The PinRules element can have the following attributes.
For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml) or [Represent a duration in XML](#represent-a-duration-in-xml). For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml) or [Represent a duration in XML](#represent-a-duration-in-xml).
| Attribute | Description | Required | | Attribute | Description | Required |
|-----------|-------------|----------| |-----------|-------------|----------|
| **Duration** or **NextUpdate** | Specifies when the Pin Rules expires. Either is required. **NextUpdate** takes precedence if both are specified. <br> **Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC. | **Required?** Yes. At least one is required. | | **Duration** or **NextUpdate** | Specifies when the Pin Rules expires. Either is required. **NextUpdate** takes precedence if both are specified. <br> **Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC. | **Required?** Yes. At least one is required. |
| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. <br> **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. <br> You represent **LogDuration** as an XML TimeSpan data type, which doesn't allow years and months. <br> If `none of the attributes are specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | | **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. <br> **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. <br> You represent **LogDuration** as an XML TimeSpan data type, which doesn't allow years and months. <br> If `none of the attributes are specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. |
| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows doesn't use this attribute for certificate pinning enforcement; however, it's included when the pin rules are converted to a certificate trust list (CTL). | No. | | **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows doesn't use this attribute for certificate pinning enforcement; however, it's included when the pin rules are converted to a certificate trust list (CTL). | No. |
#### PinRule element #### PinRule element
@ -86,7 +86,7 @@ The **Certificate** element can have the following attributes.
| Attribute | Description | Required | | Attribute | Description | Required |
|-----------|-------------|----------| |-----------|-------------|----------|
| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br>- sst <br> These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). | | **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br>- sst <br> These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). |
| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). | | **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). |
| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br> - sst <br> This allows the certificates to be included in the XML file without a file directory dependency. <br> Note: <br> You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). | | **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br> - sst <br> This allows the certificates to be included in the XML file without a file directory dependency. <br> Note: <br> You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). |
| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. <br>If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.<br> If the current time is past the **EndDate**, when creating the certificate trust list (CTL) the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.<br> For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml).| No.| | **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. <br>If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.<br> If the current time is past the **EndDate**, when creating the certificate trust list (CTL) the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.<br> For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml).| No.|
@ -138,8 +138,8 @@ certutil -generatePinRulesCTL certPinRules.xml pinrules.stl
### Apply certificate pinning rules to a reference computer ### Apply certificate pinning rules to a reference computer
Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise. Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise.
To simplify the deployment configuration, it's best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) included in the Remote Server Administration Tools (RSAT). To simplify the deployment configuration, it's best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) included in the Remote Server Administration Tools (RSAT).
Use *certutil.exe* to apply your certificate pinning rules to your reference computer using the *setreg* argument.\ Use *certutil.exe* to apply your certificate pinning rules to your reference computer using the *setreg* argument.\
The *setreg* argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.\ The *setreg* argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.\
@ -148,7 +148,7 @@ The last argument you provide is the name of file that contains your certificate
You pass the name of the file as the last argument. You must prefix the file name with the `@` symbol as in the following example: You pass the name of the file as the last argument. You must prefix the file name with the `@` symbol as in the following example:
```cmd ```cmd
Certutil -setreg chain\PinRules @pinrules.stl Certutil -setreg chain\PinRules @pinrules.stl
``` ```
> [!NOTE] > [!NOTE]
@ -215,7 +215,7 @@ You can run the following commands from an elevated command prompt to achieve th
set PinRulesLogDir=c:\PinRulesLog set PinRulesLogDir=c:\PinRulesLog
mkdir %PinRulesLogDir% mkdir %PinRulesLogDir%
icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F) icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F) icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F) icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
``` ```
@ -233,7 +233,7 @@ For example:
- `DE28F4A4_www.yammer.com.p7b` - `DE28F4A4_www.yammer.com.p7b`
If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder.
If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder.
## Represent a date in XML ## Represent a date in XML
@ -244,7 +244,7 @@ You can then copy and paste the output of the cmdlet into the XML file.
![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png) ![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png)
For simplicity, you can truncate decimal point (.) and the numbers after it. For simplicity, you can truncate decimal point (.) and the numbers after it.
However, be certain to append the uppercase "Z" to the end of the XML date string. However, be certain to append the uppercase "Z" to the end of the XML date string.
```cmd ```cmd
@ -268,7 +268,7 @@ You can use Windows PowerShell to properly format and validate durations (timesp
## Convert an XML duration ## Convert an XML duration
You can convert an XML formatted timespan into a timespan variable that you can read. You can convert an XML formatted timespan into a timespan variable that you can read.
![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png) ![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png)

6
windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
View File

@ -1,8 +1,8 @@
--- ---
title: Windows Hello for Business cloud-only deployment guide title: Windows Hello for Business cloud-only deployment guide
description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario. description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: how-to ms.topic: tutorial
--- ---
# Cloud-only deployment guide # Cloud-only deployment guide
@ -32,7 +32,7 @@ When you Microsoft Entra join a device, the system attempts to automatically enr
Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no other MFA configuration needed. If you aren't already registered in MFA, you're guided through the MFA registration as part of the Windows Hello for Business enrollment process. Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no other MFA configuration needed. If you aren't already registered in MFA, you're guided through the MFA registration as part of the Windows Hello for Business enrollment process.
Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are
typically configured via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1]. typically configured via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1].
> [!NOTE] > [!NOTE]

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Active Directory Federation Services in a hybrid certificate trust model title: Configure Active Directory Federation Services in a hybrid certificate trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model. description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---
@ -21,7 +21,7 @@ The CRA enrolls for an *enrollment agent certificate*, and the Windows Hello for
Sign-in the AD FS server with *domain administrator* equivalent credentials. Sign-in the AD FS server with *domain administrator* equivalent credentials.
Open a **Windows PowerShell** prompt and type the following command: Open a **Windows PowerShell** prompt and type the following command:
```PowerShell ```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
``` ```

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario. description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure and validate the PKI in an hybrid certificate trust model title: Configure and validate the PKI in an hybrid certificate trust model
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model. description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
View File

@ -1,7 +1,7 @@
--- ---
title: Windows Hello for Business hybrid certificate trust deployment guide title: Windows Hello for Business hybrid certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---
@ -28,7 +28,7 @@ ms.topic: tutorial
> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: > Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
> >
> - [Configure and validate the Public Key Infrastructure](hybrid-cert-trust-pki.md) > - [Configure and validate the Public Key Infrastructure](hybrid-cert-trust-pki.md)
> - [Configure Active Directory Federation Services](hybrid-cert-trust-adfs.md) > - [Configure Active Directory Federation Services](hybrid-cert-trust-adfs.md)
> - [Configure and enroll in Windows Hello for Business](hybrid-cert-trust-enroll.md) > - [Configure and enroll in Windows Hello for Business](hybrid-cert-trust-enroll.md)
> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md) > - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -1,7 +1,7 @@
--- ---
title: Windows Hello for Business cloud Kerberos trust deployment guide title: Windows Hello for Business cloud Kerberos trust deployment guide
description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure and enroll in Windows Hello for Business in a hybrid key trust model title: Configure and enroll in Windows Hello for Business in a hybrid key trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario. description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
ms.date: 12/29/2023 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
View File

@ -1,7 +1,7 @@
--- ---
title: Windows Hello for Business hybrid key trust deployment guide title: Windows Hello for Business hybrid key trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

4
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -1,8 +1,8 @@
--- ---
title: Plan a Windows Hello for Business Deployment title: Plan a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
ms.date: 01/02/2024 ms.date: 03/12/2024
ms.topic: overview ms.topic: concept-article
--- ---
# Plan a Windows Hello for Business deployment # Plan a Windows Hello for Business deployment

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Active Directory Federation Services in an on-premises certificate trust model title: Configure Active Directory Federation Services in an on-premises certificate trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model. description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
View File

@ -1,5 +1,5 @@
--- ---
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
View File

@ -1,7 +1,7 @@
--- ---
title: Windows Hello for Business on-premises certificate trust deployment guide title: Windows Hello for Business on-premises certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario. description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Active Directory Federation Services in an on-premises key trust model title: Configure Active Directory Federation Services in an on-premises key trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model. description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
View File

@ -1,5 +1,5 @@
--- ---
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises key trust title: Configure Windows Hello for Business Policy settings in an on-premises key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
View File

@ -1,7 +1,7 @@
--- ---
title: Windows Hello for Business on-premises key trust deployment guide title: Windows Hello for Business on-premises key trust deployment guide
description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario. description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario.
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: tutorial ms.topic: tutorial
--- ---

2
windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
View File

@ -1,7 +1,7 @@
--- ---
title: Prepare users to provision and use Windows Hello for Business title: Prepare users to provision and use Windows Hello for Business
description: Learn how to prepare users to enroll and to use Windows Hello for Business. description: Learn how to prepare users to enroll and to use Windows Hello for Business.
ms.date: 01/02/2024 ms.date: 03/12/2024
ms.topic: end-user-help ms.topic: end-user-help
--- ---

2
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -1,7 +1,7 @@
--- ---
title: Windows Hello for Business known deployment issues title: Windows Hello for Business known deployment issues
description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues. description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues.
ms.date: 06/02/2023 ms.date: 03/12/2024
ms.topic: troubleshooting ms.topic: troubleshooting
--- ---

2
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -2,7 +2,7 @@
title: Windows Hello errors during PIN creation title: Windows Hello errors during PIN creation
description: Learn about the Windows Hello error codes that might happen during PIN creation. description: Learn about the Windows Hello error codes that might happen during PIN creation.
ms.topic: troubleshooting ms.topic: troubleshooting
ms.date: 01/26/2024 ms.date: 03/12/2024
--- ---
# Windows Hello errors during PIN creation # Windows Hello errors during PIN creation

2
windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/expiration.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/history.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/require-digits.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/require-special-characters.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/use-biometrics.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 01/03/2024 ms.date: 03/12/2024
ms.topic: include ms.topic: include
--- ---

2
windows/security/identity-protection/index.md
View File

@ -2,7 +2,7 @@
title: Windows identity protection title: Windows identity protection
description: Learn more about identity protection technologies in Windows. description: Learn more about identity protection technologies in Windows.
ms.topic: overview ms.topic: overview
ms.date: 07/27/2023 ms.date: 03/12/2024
--- ---
# Windows identity protection # Windows identity protection

6
windows/security/identity-protection/passwordless-experience/index.md
View File

@ -1,9 +1,9 @@
--- ---
title: Windows passwordless experience title: Windows passwordless experience
description: Learn how Windows passwordless experience enables your organization to move away from passwords. description: Learn how Windows passwordless experience enables your organization to move away from passwords.
ms.collection: ms.collection:
- tier1 - tier1
ms.date: 09/27/2023 ms.date: 03/12/2024
ms.topic: how-to ms.topic: how-to
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -19,7 +19,7 @@ With Windows passwordless experience, users who sign in with Windows Hello or a
- Can't use the password credential provider on the Windows lock screen - Can't use the password credential provider on the Windows lock screen
- Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.) - Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
- Don't have the option *Accounts > Change password* in the Settings app - Don't have the option *Accounts > Change password* in the Settings app
>[!NOTE] >[!NOTE]
>Users can reset their password using <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DEL</kbd> > **Manage your account** >Users can reset their password using <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DEL</kbd> > **Manage your account**

2
windows/security/identity-protection/remote-credential-guard.md
View File

@ -2,7 +2,7 @@
title: Remote Credential Guard title: Remote Credential Guard
description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
ms.topic: how-to ms.topic: how-to
ms.date: 12/08/2023 ms.date: 03/12/2024
appliesto: appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>

12
windows/security/identity-protection/web-sign-in/index.md
View File

@ -1,7 +1,7 @@
--- ---
title: Web sign-in for Windows title: Web sign-in for Windows
description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it. description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
ms.date: 12/11/2023 ms.date: 03/12/2023
ms.topic: how-to ms.topic: how-to
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -11,8 +11,8 @@ ms.collection:
# Web sign-in for Windows # Web sign-in for Windows
Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities. Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices.
This feature is called *Web sign-in*. This feature is called *Web sign-in*, and it unlocks new sign-in options and capabilities.
Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded.\ Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded.\
For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity. For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity.
@ -21,11 +21,11 @@ This article describes how to configure Web sign-in and the supported key scenar
## System requirements ## System requirements
To use web sign-in, the clients must meet the following prerequisites: Here are the prerequisites for using Web sign-in:
- Windows 11, version 22H2 with [5030310][KB-1], or later - Windows 11, version 22H2 with [5030310][KB-1], or later
- Must be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join) - [Microsoft Entra joined](/entra/identity/devices/concept-directory-join)
- Must have Internet connectivity, as the authentication is done over the Internet - Internet connectivity, as the authentication is done over the Internet
> [!IMPORTANT] > [!IMPORTANT]
> Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices. > Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.

289
windows/security/index.yml
View File

@ -1,167 +1,156 @@
### YamlMime:Hub ### YamlMime:Landing
title: Windows client security documentation title: Windows security documentation
summary: Learn how to secure Windows clients for your organization. summary: Windows is designed with zero-trust principles at its core, offering powerful security from chip to cloud. As organizations embrace hybrid work environments, the need for robust security solutions becomes paramount. Windows integrates advanced hardware and software protection, ensuring data integrity and access control across devices. Learn about the different security features included in Windows.
brand: windows
metadata: metadata:
ms.topic: hub-page ms.topic: landing-page
ms.collection: ms.collection:
- tier1 - tier1
- essentials-navigation - essentials-navigation
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
manager: aaroncz manager: aaroncz
ms.date: 09/18/2023 ms.date: 03/12/2024
highlightedContent: # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
items:
- title: Get started with Windows security
itemType: get-started
url: introduction.md
- title: Windows 11, version 22H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-22H2
- title: Advance your security posture with Microsoft Intune from chip to cloud
itemType: learn
url: https://learn.microsoft.com/training/modules/m365-advance-organization-security-posture/
- title: Security features licensing and edition requirements
itemType: overview
url: /windows/security/licensing-and-edition-requirements
landingContent:
productDirectory: - title: Learn about hardware security
title: Get started linkLists:
items: - linkListType: overview
links:
- text: Trusted Platform Module (TPM)
url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
- text: Microsoft Pluton
url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
- text: Windows Defender System Guard
url: /windows-hardware/design/device-experiences/oem-vbs
- text: Virtualization-based security (VBS)
url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
- text: Secured-core PC
url: /windows-hardware/design/device-experiences/oem-highly-secure-11
- title: Hardware security - title: Learn about OS security
imageSrc: /media/common/i_usb.svg linkLists:
links: - linkListType: overview
- url: /windows/security/hardware-security/tpm/trusted-platform-module-overview links:
text: Trusted Platform Module - text: Trusted boot
- url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor url: /windows/security/operating-system-security
text: Microsoft Pluton - text: Windows security settings
- url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
text: Windows Defender System Guard - text: BitLocker
- url: /windows-hardware/design/device-experiences/oem-vbs url: /windows/security/operating-system-security/data-protection/bitlocker/
text: Virtualization-based security (VBS) - text: Personal Data Encryption (PDE)
- url: /windows-hardware/design/device-experiences/oem-highly-secure-11 url: /windows/security/operating-system-security/data-protection/personal-data-encryption
text: Secured-core PC - text: Windows security baselines
- url: /windows/security/hardware-security url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
text: Learn more about hardware security > - text: Microsoft Defender SmartScreen
url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
- text: Windows Firewall
url: /windows/security/operating-system-security/network-security/windows-firewall/
- linkListType: architecture
links:
- text: BitLocker planning guide
url: /windows/security/operating-system-security/data-protection/bitlocker/planning-guide
- linkListType: how-to-guide
links:
- text: Configure BitLocker
url: /windows/security/operating-system-security/data-protection/bitlocker/configure
- text: Configure PDE
url: /windows/security/operating-system-security/data-protection/personal-data-encryption/configure
- linkListType: whats-new
links:
- text: Hyper-V firewall
url: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
- title: OS security - title: Learn about identity protection
imageSrc: /media/common/i_threat-protection.svg linkLists:
links: - linkListType: overview
- url: /windows/security/operating-system-security links:
text: Trusted boot - text: Passwordless strategy
- url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center url: /windows/security/identity-protection/passwordless-strategy
text: Windows security settings - text: Windows Hello for Business
- url: /windows/security/operating-system-security/data-protection/bitlocker/ url: /windows/security/identity-protection/hello-for-business
text: BitLocker - text: Windows passwordless experience
- url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines url: /windows/security/identity-protection/passwordless-experience
text: Windows security baselines - text: Web sign-in for Windows
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ url: /windows/security/identity-protection/web-sign-in
text: Microsoft Defender SmartScreen - text: Passkeys
- url: /windows/security/operating-system-security url: /windows/security/identity-protection/passkeys
text: Learn more about OS security > - text: FIDO2 security keys
url: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
- text: Enhanced phishing protection with SmartScreen
url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
- linkListType: how-to-guide
links:
- text: Configure PIN reset
url: /windows/security/identity-protection/hello-for-business/pin-reset
- text: RDP sign-in with Windows Hello for Business
url: /windows/security/identity-protection/hello-for-business/rdp-sign-in
- linkListType: architecture
links:
- text: Plan a Windows Hello for Business deployment
url: /windows/security/identity-protection/hello-for-business/deploy/
- linkListType: deploy
links:
- text: Cloud Kerberos trust deployment guide
url: /windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust
- title: Identity protection - title: Learn about application security
imageSrc: /media/common/i_identity-protection.svg linkLists:
links: - linkListType: overview
- url: /windows/security/identity-protection/hello-for-business links:
text: Windows Hello for Business - text: Windows Defender Application Control (WDAC)
- url: /windows/security/identity-protection/passwordless-experience url: /windows/security/application-security/application-control/windows-defender-application-control/
text: Windows passwordless experience - text: User Account Control (UAC)
- url: /windows/security/identity-protection/web-sign-in url: /windows/security/application-security/application-control/user-account-control
text: Web sign-in for Windows - text: Microsoft vulnerable driver blocklist
- url: /windows/security/identity-protection/passkeys url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
text: Support for passkeys in Windows - text: Microsoft Defender Application Guard (MDAG)
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
text: Enhanced phishing protection with SmartScreen - text: Windows Sandbox
- url: /windows/security/identity-protection url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
text: Learn more about identity protection > - linkListType: how-to-guide
links:
- text: Configure Windows Sandbox
url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file
- title: Application security - title: Learn about security foundations
imageSrc: /media/common/i_queries.svg linkLists:
links: - linkListType: overview
- url: /windows/security/application-security/application-control/windows-defender-application-control/ links:
text: Windows Defender Application Control (WDAC) - text: Zero trust
- url: /windows/security/application-security/application-control/user-account-control url: /windows/security/security-foundations/zero-trust-windows-device-health
text: User Account Control (UAC) - text: FIPS 140 validation
- url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules url: /windows/security/security-foundations/certification/fips-140-validation
text: Microsoft vulnerable driver blocklist - text: Common Criteria Certifications
- url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview url: /windows/security/security-foundations/certification/windows-platform-common-criteria
text: Microsoft Defender Application Guard (MDAG) - text: Microsoft Security Development Lifecycle (SDL)
- url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview url: /windows/security/security-foundations/msft-security-dev-lifecycle
text: Windows Sandbox - text: Microsoft Windows Insider Preview bounty program
- url: /windows/security/application-security url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
text: Learn more about application security > - text: OneFuzz service
url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
- linkListType: whats-new
links:
- text: Completed FIPS validations - Windows 11
url: /windows/security/security-foundations/certification/validations/fips-140-windows11
- text: Completed CC certifications - Windows 11
url: /windows/security/security-foundations/certification/validations/cc-windows11
- title: Security foundations - title: Learn about cloud security
imageSrc: /media/common/i_build.svg linkLists:
links: - linkListType: overview
- url: /windows/security/security-foundations/certification/fips-140-validation links:
text: FIPS 140-2 validation - text: Security baselines with Intune
- url: /windows/security/security-foundations/certification/windows-platform-common-criteria url: /mem/intune/protect/security-baselines
text: Common Criteria Certifications - text: Windows Autopatch
- url: /windows/security/security-foundations/msft-security-dev-lifecycle url: /windows/deployment/windows-autopatch
text: Microsoft Security Development Lifecycle (SDL) - text: Windows Autopilot
- url: https://www.microsoft.com/msrc/bounty-windows-insider-preview url: /windows/deployment/windows-autopilot
text: Microsoft Windows Insider Preview bounty program - text: Universal Print
- url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ url: /universal-print
text: OneFuzz service - text: Remote wipe
- url: /windows/security/security-foundations url: /windows/client-management/mdm/remotewipe-csp
text: Learn more about security foundations >
- title: Cloud security
imageSrc: /media/common/i_cloud-security.svg
links:
- url: /mem/intune/protect/security-baselines
text: Security baselines with Intune
- url: /windows/deployment/windows-autopatch
text: Windows Autopatch
- url: /windows/deployment/windows-autopilot
text: Windows Autopilot
- url: /universal-print
text: Universal Print
- url: /windows/client-management/mdm/remotewipe-csp
text: Remote wipe
- url: /windows/security/cloud-security
text: Learn more about cloud security >
additionalContent:
sections:
- title: More Windows resources
items:
- title: Windows Server
links:
- text: Windows Server documentation
url: /windows-server
- text: What's new in Windows Server 2022?
url: /windows-server/get-started/whats-new-in-windows-server-2022
- text: Windows Server blog
url: https://cloudblogs.microsoft.com/windowsserver/
- title: Windows product site and blogs
links:
- text: Find out how Windows enables your business to do more
url: https://www.microsoft.com/microsoft-365/windows
- text: Windows blogs
url: https://blogs.windows.com/
- text: Windows IT Pro blog
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
- text: Microsoft Intune blog
url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog
- text: "Windows help & learning: end-user documentation"
url: https://support.microsoft.com/windows
- title: Participate in the community
links:
- text: Windows community
url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10
- text: Microsoft Intune community
url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
- text: Microsoft Support community
url: https://answers.microsoft.com/windows/forum