deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-7933120-uac

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-05-24 19:21:55 -04:00
commit 43647b4891
774 changed files with 829 additions and 837 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
education/windows/chromebook-migration-guide.md
View File

@ -1,5 +1,5 @@
--- ---
title: Chromebook migration guide (Windows 10) title: Chromebook migration guide
description: Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. description: Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
ms.topic: how-to ms.topic: how-to
ms.date: 08/10/2022 ms.date: 08/10/2022

2
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -1,5 +1,5 @@
--- ---
title: Deploy Windows 10 in a school district (Windows 10) title: Deploy Windows 10 in a school district
description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices. description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
ms.topic: how-to ms.topic: how-to
ms.date: 08/10/2022 ms.date: 08/10/2022

2
education/windows/deploy-windows-10-in-a-school.md
View File

@ -1,5 +1,5 @@
--- ---
title: Deploy Windows 10 in a school (Windows 10) title: Deploy Windows 10 in a school
description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
ms.topic: how-to ms.topic: how-to
ms.date: 08/10/2022 ms.date: 08/10/2022

2
education/windows/deploy-windows-10-overview.md
View File

@ -1,5 +1,5 @@
--- ---
title: Windows 10 for Education (Windows 10) title: Windows 10 for Education
description: Learn how to use Windows 10 in schools. description: Learn how to use Windows 10 in schools.
ms.topic: how-to ms.topic: how-to
ms.date: 08/10/2022 ms.date: 08/10/2022

2
windows/security/application-security/application-control/user-account-control/how-user-account-control-works.md
View File

@ -1,5 +1,5 @@
--- ---
title: How User Account Control works (Windows) title: How User Account Control works
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
ms.collection: ms.collection:
- highpri - highpri

2
windows/security/application-security/application-control/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: User Account Control Group Policy and registry key settings (Windows) title: User Account Control Group Policy and registry key settings
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.collection: ms.collection:
- highpri - highpri

2
windows/security/application-security/application-control/user-account-control/user-account-control-security-policy-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: User Account Control security policy settings (Windows) title: User Account Control security policy settings
description: You can use security policies to configure how User Account Control works in your organization. description: You can use security policies to configure how User Account Control works in your organization.
ms.topic: article ms.topic: article
ms.date: 09/24/2021 ms.date: 09/24/2021

2
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -1,5 +1,5 @@
--- ---
title: Manage Windows Defender Credential Guard (Windows) title: Manage Windows Defender Credential Guard
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry. description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry.
ms.date: 11/23/2022 ms.date: 11/23/2022
ms.collection: ms.collection:

2
windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
View File

@ -1,5 +1,5 @@
--- ---
title: Windows Defender Credential Guard protection limits (Windows) title: Windows Defender Credential Guard protection limits
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide. description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.date: 08/17/2017 ms.date: 08/17/2017
ms.topic: article ms.topic: article

2
windows/security/identity-protection/credential-guard/credential-guard.md
View File

@ -1,5 +1,5 @@
--- ---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows) title: Protect derived domain credentials with Windows Defender Credential Guard
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.date: 11/22/2022 ms.date: 11/22/2022
ms.topic: article ms.topic: article

2
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -1,5 +1,5 @@
--- ---
title: Windows Hello biometrics in the enterprise (Windows) title: Windows Hello biometrics in the enterprise
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.date: 01/12/2021 ms.date: 01/12/2021
ms.topic: article ms.topic: article

74
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -1,24 +1,16 @@
--- ---
title: How Windows Hello for Business works - Authentication title: How Windows Hello for Business authentication works
description: Learn about the authentication flow for Windows Hello for Business. description: Learn about the Windows Hello for Business authentication flows.
ms.date: 02/15/2022 ms.date: 05/24/2023
ms.topic: article ms.topic: reference
--- ---
# Windows Hello for Business and Authentication # Windows Hello for Business authentication
Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources. Windows Hello for Business authentication is a passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. Azure AD-joined devices authenticate to Azure AD during sign-in and can, optionally, authenticate to Active Directory. Hybrid Azure AD-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure AD in the background.
- [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory) ## Azure AD join authentication to Azure AD
- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust)
- [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key)
- [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust)
- [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key)
- [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
## Azure AD join authentication to Azure Active Directory
![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png) ![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png)
@ -27,20 +19,20 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| |A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
|B | The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.| |B | The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.| |C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. Azure AD then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust) ## Azure AD join authentication to Active Directory using cloud Kerberos trust
![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png) ![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. |A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
|B | After locating an active 2016 domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client.| |B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
## Azure AD join authentication to Active Directory using a key ## Azure AD join authentication to Active Directory using a key
@ -48,9 +40,9 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates an active 2016 domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.| |A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
|B | The Kerberos provider sends the signed pre-authentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
> [!NOTE] > [!NOTE]
> You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins. > You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
@ -61,24 +53,24 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.| |A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
> [!NOTE] > [!NOTE]
> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. > You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust) ## Hybrid Azure AD join authentication using cloud Kerberos trust
![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png) ![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce. |A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD. |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP. |C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT. |D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos will return the TGT to lsass, where it is cached and used for subsequent service ticket requests. Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| |E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Hybrid Azure AD join authentication using a key ## Hybrid Azure AD join authentication using a key
@ -86,11 +78,11 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.| |A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| |E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.| |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| |G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
@ -103,13 +95,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.| |A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| |E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.| |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| |G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
> [!IMPORTANT] > [!IMPORTANT]
> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller for the first time. > In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -42,7 +42,7 @@ When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Ke
:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server "::: :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::
For more information about how Azure AD Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\ For more information about how Azure AD Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\
For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust). For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust).
> [!IMPORTANT] > [!IMPORTANT]
> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. > When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].

48
windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
View File

@ -1,6 +1,6 @@
--- ---
title: Manage Windows Hello in your organization (Windows) title: Manage Windows Hello in your organization
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business.
ms.collection: ms.collection:
- highpri - highpri
- tier1 - tier1
@ -19,31 +19,31 @@ You can create a Group Policy or mobile device management (MDM) policy to config
## Group Policy settings for Windows Hello for Business ## Group Policy settings for Windows Hello for Business
The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**. The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies > Administrative Templates > Windows Components > Windows Hello for Business**.
> [!NOTE] > [!NOTE]
> Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **PIN Complexity**. > The location of the PIN complexity section of the Group Policy is: **Computer Configuration > Administrative Templates > System > PIN Complexity**.
|Policy|Scope|Options| |Policy|Scope|Options|
|--- |--- |--- | |--- |--- |--- |
|Use Windows Hello for Business|Computer or user|<p><b>Not configured</b>: Device does not provision Windows Hello for Business for any user.<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.| |Use Windows Hello for Business|Computer or user|<p><b>Not configured</b>: Device doesn't provision Windows Hello for Business for any user.<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.<p><b>Disabled</b>: Device doesn't provision Windows Hello for Business for any user.|
|Use a hardware security device|Computer|<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.| |Use a hardware security device|Computer|<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
|Use certificate for on-premises authentication|Computer or user|<p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.<p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.<p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.| |Use certificate for on-premises authentication|Computer or user|<p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.<p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.<p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
|Use PIN recovery|Computer|<p>Added in Windows 10, version 1703<p><b>Not configured</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service<p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset<p><b>Disabled</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.<p>For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| |Use PIN recovery|Computer|<p>Added in Windows 10, version 1703<p><b>Not configured</b>: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service<p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset<p><b>Disabled</b>: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.<p>For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
|Use biometrics|Computer|<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.<p><b>Disabled</b>: Only a PIN can be used as a gesture.| |Use biometrics|Computer|<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.<p><b>Disabled</b>: Only a PIN can be used as a gesture.|
### PIN Complexity ### PIN Complexity
|Policy|Scope|Options| |Policy|Scope|Options|
|--- |--- |--- | |--- |--- |--- |
|Require digits|Computer|<p><b>Not configured</b>: Users must include a digit in their PIN.<p><b>Enabled</b>: Users must include a digit in their PIN.<p><b>Disabled</b>: Users cannot use digits in their PIN.| |Require digits|Computer|<p><b>Not configured</b>: Users must include a digit in their PIN.<p><b>Enabled</b>: Users must include a digit in their PIN.<p><b>Disabled</b>: Users can't use digits in their PIN.|
|Require lowercase letters|Computer|<p><b>Not configured</b>: Users cannot use lowercase letters in their PIN<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.<p><b>Disabled</b>: Users cannot use lowercase letters in their PIN.| |Require lowercase letters|Computer|<p><b>Not configured</b>: Users can't use lowercase letters in their PIN<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.<p><b>Disabled</b>: Users can't use lowercase letters in their PIN.|
|Maximum PIN length|Computer|<p><b>Not configured</b>: PIN length must be less than or equal to 127.<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be less than or equal to 127.| |Maximum PIN length|Computer|<p><b>Not configured</b>: PIN length must be less than or equal to 127.<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be less than or equal to 127.|
|Minimum PIN length|Computer|<p><b>Not configured</b>: PIN length must be greater than or equal to 4.<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be greater than or equal to 4.| |Minimum PIN length|Computer|<p><b>Not configured</b>: PIN length must be greater than or equal to 4.<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be greater than or equal to 4.|
|Expiration|Computer|<p><b>Not configured</b>: PIN does not expire.<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<p><b>Disabled</b>: PIN does not expire.| |Expiration|Computer|<p><b>Not configured</b>: PIN doesn't expire.<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<p><b>Disabled</b>: PIN doesn't expire.|
|History|Computer|<p><b>Not configured</b>: Previous PINs are not stored.<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<p><b>Disabled</b>: Previous PINs are not stored.<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>| |History|Computer|<p><b>Not configured</b>: Previous PINs aren't stored.<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<p><b>Disabled</b>: Previous PINs aren't stored.<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>|
|Require special characters|Computer|<p><b>Not configured</b>: Windows allows, but does not require, special characters in the PIN.<p><b>Enabled</b>: Windows requires the user to include at least one special character in their PIN.<p><b>Disabled</b>: Windows does not allow the user to include special characters in their PIN.| |Require special characters|Computer|<p><b>Not configured</b>: Windows allows, but doesn't require, special characters in the PIN.<p><b>Enabled</b>: Windows requires the user to include at least one special character in their PIN.<p><b>Disabled</b>: Windows doesn't allow the user to include special characters in their PIN.|
|Require uppercase letters|Computer|<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.| |Require uppercase letters|Computer|<p><b>Not configured</b>: Users can't include an uppercase letter in their PIN.<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.<p><b>Disabled</b>: Users can't include an uppercase letter in their PIN.|
### Phone Sign-in ### Phone Sign-in
@ -60,30 +60,30 @@ The following table lists the MDM policy settings that you can configure for Win
|Policy|Scope|Default|Options| |Policy|Scope|Default|Options|
|--- |--- |--- |--- | |--- |--- |--- |--- |
|UsePassportForWork|Device or user|True|<p>True: Windows Hello for Business will be provisioned for all users on the device.<p>False: Users will not be able to provision Windows Hello for Business. <div class="alert"> **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices</div>| |UsePassportForWork|Device or user|True|<p>True: Windows Hello for Business will be provisioned for all users on the device.<p>False: Users won't be able to provision Windows Hello for Business. <div class="alert"> **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices</div>|
|RequireSecurityDevice|Device or user|False|<p>True: Windows Hello for Business will only be provisioned using TPM.<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.| |RequireSecurityDevice|Device or user|False|<p>True: Windows Hello for Business will only be provisioned using TPM.<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
|ExcludeSecurityDevice<p>TPM12|Device|False|Added in Windows 10, version 1703<p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.<p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.| |ExcludeSecurityDevice<p>TPM12|Device|False|Added in Windows 10, version 1703<p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.<p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
|EnablePinRecovery|Device or use|False|<p>Added in Windows 10, version 1703<p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.<p>False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| |EnablePinRecovery|Device or use|False|<p>Added in Windows 10, version 1703<p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.<p>False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
### Biometrics ### Biometrics
|Policy|Scope|Default|Options| |Policy|Scope|Default|Options|
|--- |--- |--- |--- | |--- |--- |--- |--- |
|UseBiometrics|Device |False|<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.<p>False: Only a PIN can be used as a gesture for domain sign-in.| |UseBiometrics|Device |False|<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.<p>False: Only a PIN can be used as a gesture for domain sign-in.|
|<p>FacialFeaturesUser<p>EnhancedAntiSpoofing|Device|Not configured|<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.<p>True: Enhanced anti-spoofing is required on devices which support it.<p>False: Users cannot turn on enhanced anti-spoofing.| |<p>FacialFeaturesUser<p>EnhancedAntiSpoofing|Device|Not configured|<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.<p>True: Enhanced anti-spoofing is required on devices which support it.<p>False: Users can't turn on enhanced anti-spoofing.|
### PINComplexity ### PINComplexity
|Policy|Scope|Default|Options| |Policy|Scope|Default|Options|
|--- |--- |--- |--- | |--- |--- |--- |--- |
|Digits |Device or user|1 |<p>0: Digits are allowed. <p>1: At least one digit is required.<p>2: Digits are not allowed.| |Digits |Device or user|1 |<p>0: Digits are allowed. <p>1: At least one digit is required.<p>2: Digits aren't allowed.|
|Lowercase letters |Device or user|2|<p>0: Lowercase letters are allowed. <p>1: At least one lowercase letter is required.<p>2: Lowercase letters are not allowed.| |Lowercase letters |Device or user|2|<p>0: Lowercase letters are allowed. <p>1: At least one lowercase letter is required.<p>2: Lowercase letters aren't allowed.|
|Special characters|Device or user|2|<p>0: Special characters are allowed. <p>1: At least one special character is required. <p>2: Special characters are not allowed.| |Special characters|Device or user|2|<p>0: Special characters are allowed. <p>1: At least one special character is required. <p>2: Special characters aren't allowed.|
|Uppercase letters|Device or user|2|<p>0: Uppercase letters are allowed. <p>1: At least one uppercase letter is required.<p>2: Uppercase letters are not allowed.| |Uppercase letters|Device or user|2|<p>0: Uppercase letters are allowed. <p>1: At least one uppercase letter is required.<p>2: Uppercase letters aren't allowed.|
|Maximum PIN length |Device or user|127 |<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.| |Maximum PIN length |Device or user|127 |<p>Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
|Minimum PIN length|Device or user|6|<p>Minimum length that can be set is 6. Minimum length cannot be greater than maximum setting.| |Minimum PIN length|Device or user|6|<p>Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
|Expiration |Device or user|0|<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.| |Expiration |Device or user|0|<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
|History|Device or user|0|<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.| |History|Device or user|0|<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
### Remote ### Remote

2
windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
View File

@ -1,5 +1,5 @@
--- ---
title: Prepare people to use Windows Hello (Windows) title: Prepare people to use Windows Hello
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
ms.date: 08/19/2018 ms.date: 08/19/2018
ms.topic: article ms.topic: article

2
windows/security/identity-protection/remote-credential-guard.md
View File

@ -1,5 +1,5 @@
--- ---
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.collection: ms.collection:
- highpri - highpri

2
windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
View File

@ -1,6 +1,6 @@
--- ---
ms.date: 09/24/2021 ms.date: 09/24/2021
title: Smart Card and Remote Desktop Services (Windows) title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: article ms.topic: article
ms.reviewer: ardenw ms.reviewer: ardenw

2
windows/security/identity-protection/smart-cards/smart-card-architecture.md
View File

@ -1,5 +1,5 @@
--- ---
title: Smart Card Architecture (Windows) title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
View File

@ -1,5 +1,5 @@
--- ---
title: Certificate Propagation Service (Windows) title: Certificate Propagation Service
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
View File

@ -1,5 +1,5 @@
--- ---
title: Certificate Requirements and Enumeration (Windows) title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -1,5 +1,5 @@
--- ---
title: Smart Card Troubleshooting (Windows) title: Smart Card Troubleshooting
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.collection: ms.collection:

2
windows/security/identity-protection/smart-cards/smart-card-events.md
View File

@ -1,5 +1,5 @@
--- ---
title: Smart Card Events (Windows) title: Smart Card Events
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: Smart Card Group Policy and Registry Settings (Windows) title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
View File

@ -1,5 +1,5 @@
--- ---
title: Smart Card Removal Policy Service (Windows) title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
View File

@ -1,5 +1,5 @@
--- ---
title: Smart Cards for Windows Service (Windows) title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: Smart Card Tools and Settings (Windows) title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
View File

@ -1,5 +1,5 @@
--- ---
title: Smart Card Technical Reference (Windows) title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.reviewer: ardenw ms.reviewer: ardenw
ms.topic: article ms.topic: article

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
View File

@ -1,5 +1,5 @@
--- ---
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10) title: Get Started with Virtual Smart Cards - Walkthrough Guide
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.topic: conceptual ms.topic: conceptual
ms.date: 02/22/2023 ms.date: 02/22/2023

2
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -1,5 +1,5 @@
--- ---
title: BCD settings and BitLocker (Windows 10) title: BCD settings and BitLocker
description: This article for IT professionals describes the BCD settings that are used by BitLocker. description: This article for IT professionals describes the BCD settings that are used by BitLocker.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -1,5 +1,5 @@
--- ---
title: BitLocker Countermeasures (Windows 10) title: BitLocker Countermeasures
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key. description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -1,5 +1,5 @@
--- ---
title: BitLocker deployment comparison (Windows 10) title: BitLocker deployment comparison
description: This article shows the BitLocker deployment comparison chart. description: This article shows the BitLocker deployment comparison chart.
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: BitLocker Group Policy settings (Windows 10) title: BitLocker Group Policy settings
description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -1,5 +1,5 @@
--- ---
title: BitLocker - How to enable Network Unlock (Windows 10) title: BitLocker - How to enable Network Unlock
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it. description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -1,5 +1,5 @@
--- ---
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker
description: This article for the IT professional describes how to use tools to manage BitLocker. description: This article for the IT professional describes how to use tools to manage BitLocker.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -1,5 +1,5 @@
--- ---
title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) title: BitLocker Use BitLocker Recovery Password Viewer
description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer. description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -1,5 +1,5 @@
--- ---
title: Prepare the organization for BitLocker Planning and policies (Windows 10) title: Prepare the organization for BitLocker Planning and policies
description: This article for the IT professional explains how can to plan for a BitLocker deployment. description: This article for the IT professional explains how can to plan for a BitLocker deployment.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -1,5 +1,5 @@
--- ---
title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10) title: Protecting cluster shared volumes and storage area networks with BitLocker
description: This article for IT pros describes how to protect CSVs and SANs with BitLocker. description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/encrypted-hard-drive.md
View File

@ -1,5 +1,5 @@
--- ---
title: Encrypted Hard Drive (Windows) title: Encrypted Hard Drive
description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz

2
windows/security/information-protection/tpm/change-the-tpm-owner-password.md
View File

@ -1,5 +1,5 @@
--- ---
title: Change the TPM owner password (Windows) title: Change the TPM owner password
description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
ms.prod: windows-client ms.prod: windows-client
author: paolomatarazzo author: paolomatarazzo

2
windows/security/information-protection/tpm/manage-tpm-commands.md
View File

@ -1,5 +1,5 @@
--- ---
title: Manage TPM commands (Windows) title: Manage TPM commands
description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
ms.prod: windows-client ms.prod: windows-client
author: paolomatarazzo author: paolomatarazzo

2
windows/security/information-protection/tpm/manage-tpm-lockout.md
View File

@ -1,5 +1,5 @@
--- ---
title: Manage TPM lockout (Windows) title: Manage TPM lockout
description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
ms.prod: windows-client ms.prod: windows-client
author: paolomatarazzo author: paolomatarazzo

2
windows/security/information-protection/tpm/tpm-recommendations.md
View File

@ -1,5 +1,5 @@
--- ---
title: TPM recommendations (Windows) title: TPM recommendations
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows. description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
ms.prod: windows-client ms.prod: windows-client
author: paolomatarazzo author: paolomatarazzo

2
windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: TPM Group Policy settings (Windows) title: TPM Group Policy settings
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
ms.prod: windows-client ms.prod: windows-client
author: paolomatarazzo author: paolomatarazzo

2
windows/security/information-protection/tpm/trusted-platform-module-top-node.md
View File

@ -1,5 +1,5 @@
--- ---
title: Trusted Platform Module (Windows) title: Trusted Platform Module
description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: windows-client ms.prod: windows-client
author: paolomatarazzo author: paolomatarazzo

2
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -1,5 +1,5 @@
--- ---
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10) title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
View File

@ -1,5 +1,5 @@
--- ---
title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10) title: How to collect Windows Information Protection (WIP) audit event logs
description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding. description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -1,5 +1,5 @@
--- ---
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10) title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
View File

@ -1,5 +1,5 @@
--- ---
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10) title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -1,5 +1,5 @@
--- ---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10) title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them. description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
View File

@ -1,5 +1,5 @@
--- ---
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10) title: General guidance and best practices for Windows Information Protection (WIP)
description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart. description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -1,5 +1,5 @@
--- ---
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10) title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise. description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager (Windows 10) title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) title: Create a Windows Information Protection (WIP) policy using Microsoft Intune
description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy. description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -1,5 +1,5 @@
--- ---
title: Recommended URLs for Windows Information Protection (Windows 10) title: Recommended URLs for Windows Information Protection
description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -1,5 +1,5 @@
--- ---
title: Testing scenarios for Windows Information Protection (WIP) (Windows 10) title: Testing scenarios for Windows Information Protection (WIP)
description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
ms.reviewer: ms.reviewer:
ms.prod: windows-client ms.prod: windows-client

2
windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
View File

@ -1,5 +1,5 @@
--- ---
title: Using Outlook on the web with WIP (Windows 10) title: Using Outlook on the web with WIP
description: Options for using Outlook on the web with Windows Information Protection (WIP). description: Options for using Outlook on the web with Windows Information Protection (WIP).
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -1,5 +1,5 @@
--- ---
title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10) title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,5 +1,5 @@
--- ---
title: VPN authentication options (Windows 10 and Windows 11) title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 09/23/2021 ms.date: 09/23/2021
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

@ -1,5 +1,5 @@
--- ---
title: VPN profile options (Windows 10 and Windows 11) title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 05/17/2018 ms.date: 05/17/2018
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
View File

@ -1,5 +1,5 @@
--- ---
title: Add Production Devices to the Membership Group for a Zone (Windows) title: Add Production Devices to the Membership Group for a Zone
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group. description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
View File

@ -1,5 +1,5 @@
--- ---
title: Add Test Devices to the Membership Group for a Zone (Windows) title: Add Test Devices to the Membership Group for a Zone
description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected. description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
View File

@ -1,5 +1,5 @@
--- ---
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows) title: Appendix A Sample GPO Template Files for Settings Used in this Guide
description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO). description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
View File

@ -1,5 +1,5 @@
--- ---
title: Assign Security Group Filters to the GPO (Windows) title: Assign Security Group Filters to the GPO
description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers. description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.prod: windows-client ms.prod: windows-client
ms.collection: ms.collection:

2
windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md
View File

@ -1,5 +1,5 @@
--- ---
title: Basic Firewall Policy Design (Windows) title: Basic Firewall Policy Design
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md
View File

@ -1,5 +1,5 @@
--- ---
title: Boundary Zone GPOs (Windows) title: Boundary Zone GPOs
description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security. description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md
View File

@ -1,5 +1,5 @@
--- ---
title: Boundary Zone (Windows) title: Boundary Zone
description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security. description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md
View File

@ -1,5 +1,5 @@
--- ---
title: Certificate-based Isolation Policy Design Example (Windows) title: Certificate-based Isolation Policy Design Example
description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security. description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md
View File

@ -1,5 +1,5 @@
--- ---
title: Certificate-based Isolation Policy Design (Windows) title: Certificate-based Isolation Policy Design
description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md
View File

@ -1,5 +1,5 @@
--- ---
title: Change Rules from Request to Require Mode (Windows) title: Change Rules from Request to Require Mode
description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Configuring Basic Firewall Settings (Windows) title: Checklist Configuring Basic Firewall Settings
description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Configuring Rules for an Isolated Server Zone (Windows) title: Checklist Configuring Rules for an Isolated Server Zone
description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain. description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows) title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Configuring Rules for the Boundary Zone (Windows) title: Checklist Configuring Rules for the Boundary Zone
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Configuring Rules for the Encryption Zone (Windows) title: Checklist Configuring Rules for the Encryption Zone
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Configuring Rules for the Isolated Domain (Windows) title: Checklist Configuring Rules for the Isolated Domain
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Creating Group Policy Objects (Windows) title: Checklist Creating Group Policy Objects
description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS. description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Creating Inbound Firewall Rules (Windows) title: Checklist Creating Inbound Firewall Rules
description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Creating Outbound Firewall Rules (Windows) title: Checklist Creating Outbound Firewall Rules
description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create Rules for Standalone Isolated Server Zone Clients (Windows) title: Create Rules for Standalone Isolated Server Zone Clients
description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Implementing a Basic Firewall Policy Design (Windows) title: Checklist Implementing a Basic Firewall Policy Design
description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows) title: Checklist Implementing a Certificate-based Isolation Policy Design
description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design. description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Implementing a Domain Isolation Policy Design (Windows) title: Checklist Implementing a Domain Isolation Policy Design
description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design. description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
View File

@ -1,5 +1,5 @@
--- ---
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows) title: Checklist Implementing a Standalone Server Isolation Policy Design
description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists. description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure Authentication Methods (Windows) title: Configure Authentication Methods
description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security. description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure Data Protection (Quick Mode) Settings (Windows) title: Configure Data Protection (Quick Mode) Settings
description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone. description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows) title: Configure Group Policy to Autoenroll and Deploy Certificates
description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure Key Exchange (Main Mode) Settings (Windows) title: Configure Key Exchange (Main Mode) Settings
description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security. description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure the Rules to Require Encryption (Windows) title: Configure the Rules to Require Encryption
description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption. description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure the Windows Defender Firewall Log (Windows) title: Configure the Windows Defender Firewall Log
description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC. description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure the Workstation Authentication Template (Windows) title: Configure the Workstation Authentication Template
description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations. description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.prod: windows-client ms.prod: windows-client
ms.date: 09/07/2021 ms.date: 09/07/2021

2
windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows) title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
View File

@ -1,5 +1,5 @@
--- ---
title: Confirm That Certificates Are Deployed Correctly (Windows) title: Confirm That Certificates Are Deployed Correctly
description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations. description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
View File

@ -1,5 +1,5 @@
--- ---
title: Copy a GPO to Create a New GPO (Windows) title: Copy a GPO to Create a New GPO
description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices. description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create a Group Account in Active Directory (Windows) title: Create a Group Account in Active Directory
description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console. description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create a Group Policy Object (Windows) title: Create a Group Policy Object
description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group. description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.prod: windows-client ms.prod: windows-client
ms.collection: ms.collection:

2
windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create an Authentication Exemption List Rule (Windows) title: Create an Authentication Exemption List Rule
description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies. description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create an Authentication Request Rule (Windows) title: Create an Authentication Request Rule
description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create an Inbound ICMP Rule (Windows) title: Create an Inbound ICMP Rule
description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create an Inbound Port Rule (Windows) title: Create an Inbound Port Rule
description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.prod: windows-client ms.prod: windows-client
ms.collection: ms.collection:

2
windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create an Inbound Program or Service Rule (Windows) title: Create an Inbound Program or Service Rule
description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules. description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
ms.prod: windows-client ms.prod: windows-client
ms.topic: conceptual ms.topic: conceptual

Some files were not shown because too many files have changed in this diff Show More