From 1c9d743be0a75793e8f1bf7ebdc79cd7f256ea0f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 23 Jun 2023 12:50:22 -0400 Subject: [PATCH 1/7] [WHFB] new FAQ --- .../identity-protection/hello-for-business/hello-faq.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 08924b2594..a57be2a1ca 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -124,6 +124,15 @@ sections: - question: What is Event ID 300? answer: | This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required. + - question: What happens when an unauthorized user gains possession of a device enrolled with Windows Hello for Business? + answer: | + The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN. + + If the user attempts to unlock the device by entering random PINs, after three unsuccessful attempts the credential provider will display the following message: *You've entered an incorrect PIN several times. To try again, enter A1B2C3 below*. + Upon entering the challenge phrase "A1B2C3", the user will be granted one more opportunity to enter the PIN. If unsuccessful, the provider will be disabled, leaving the user with the sole option to reboot the device. Following the reboot, the aforementioned pattern repeats. + + If unsuccessful attempts continue, the device will enter a lockout state, lasting for 1 minute after the first reboot, 2 minutes after the fourth reboot, and 10 minutes after the fifth reboot. The duration of each lockout increases accordingly. This behavior is a result of the TPM 2.0 anti-hammering feature. + For more information about the TPM anti-hammering feature, [TPM 2.0 anti-hammering](/windows/security/information-protection/tpm/tpm-fundamentals#tpm-20-anti-hammering). - name: Design and planning questions: From 7b697c4ec52054aeedc6d59c6303421f44799097 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 23 Jun 2023 13:01:42 -0400 Subject: [PATCH 2/7] update --- .../identity-protection/hello-for-business/hello-faq.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index a57be2a1ca..d11607da2c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -128,11 +128,11 @@ sections: answer: | The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN. - If the user attempts to unlock the device by entering random PINs, after three unsuccessful attempts the credential provider will display the following message: *You've entered an incorrect PIN several times. To try again, enter A1B2C3 below*. - Upon entering the challenge phrase "A1B2C3", the user will be granted one more opportunity to enter the PIN. If unsuccessful, the provider will be disabled, leaving the user with the sole option to reboot the device. Following the reboot, the aforementioned pattern repeats. + If the user attempts to unlock the device by entering random PINs, after three unsuccessful attempts the credential provider will display the following message: **You've entered an incorrect PIN several times. To try again, enter A1B2C3 below**. + Upon entering the challenge phrase *A1B2C3*, the user will be granted one more opportunity to enter the PIN. If unsuccessful, the provider will be disabled, leaving the user with the only option to reboot the device. Following the reboot, the aforementioned pattern repeats. If unsuccessful attempts continue, the device will enter a lockout state, lasting for 1 minute after the first reboot, 2 minutes after the fourth reboot, and 10 minutes after the fifth reboot. The duration of each lockout increases accordingly. This behavior is a result of the TPM 2.0 anti-hammering feature. - For more information about the TPM anti-hammering feature, [TPM 2.0 anti-hammering](/windows/security/information-protection/tpm/tpm-fundamentals#tpm-20-anti-hammering). + For more information about the TPM anti-hammering feature, see [TPM 2.0 anti-hammering](/windows/security/information-protection/tpm/tpm-fundamentals#tpm-20-anti-hammering). - name: Design and planning questions: From d1328ad2d3bb2aaab80e94033658a248ac7b01b8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 23 Jun 2023 13:04:49 -0400 Subject: [PATCH 3/7] minor change --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index d11607da2c..9bf4f44fca 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -124,7 +124,7 @@ sections: - question: What is Event ID 300? answer: | This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required. - - question: What happens when an unauthorized user gains possession of a device enrolled with Windows Hello for Business? + - question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business? answer: | The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN. From 198edf0137d631940a85be1a948d7c2ba18060a1 Mon Sep 17 00:00:00 2001 From: Stacyrch140 <102548089+Stacyrch140@users.noreply.github.com> Date: Fri, 23 Jun 2023 13:55:17 -0400 Subject: [PATCH 4/7] pencil edits Lines 177, 187, 193, 228: multi-factor > multifactor (to adhere to MSFT Writing Style guidelines for "multifactor") --- .../identity-protection/hello-for-business/hello-faq.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 9bf4f44fca..cfcd88f924 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -174,7 +174,7 @@ sections: answer: | A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures. - If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. + If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. It's possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. @@ -185,12 +185,12 @@ sections: - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? answer: | No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS. - - question: Is Windows Hello for Business considered multi-factor authentication? + - question: Is Windows Hello for Business considered multifactor authentication? answer: | Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". > [!NOTE] - > The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim). + > The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim). - question: Which is a better or more secure for of authentication, key or certificate? answer: | Both types of authentication provide the same security; one is not more secure than the other. @@ -225,7 +225,7 @@ sections: Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode. - question: Can I use both a PIN and biometrics to unlock my device? answer: | - You can use *multi-factor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md). + You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md). - name: Cloud Kerberos trust questions: From cfbdfce2a7148d7d0f3b702f93f327612031672d Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 23 Jun 2023 11:55:53 -0700 Subject: [PATCH 5/7] Whats new, baseline config update --- .../whats-new/windows-autopatch-whats-new-2023.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 22682ba572..499ac59ec5 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -35,6 +35,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Message center post number | Description | | ----- | ----- | +| [MC602590](https://admin.microsoft.com/adminportal/home#/MessageCenter) | June 2023 Windows Autopatch baseline configuration update | | [MC591864](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Updated ticket categories to reduce how long it takes to resolve support requests | ## May 2023 From cf608b4b2f29e46032606284b87dc312f0432cf0 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 23 Jun 2023 12:17:57 -0700 Subject: [PATCH 6/7] Tiara, where is your brain? :poop: :brain: --- .../windows-autopatch-whats-new-2023.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 499ac59ec5..abe564662b 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -23,7 +23,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. ## June 2023 -### June feature release +### June feature releases or updates | Article | Description | | ----- | ----- | @@ -31,7 +31,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated [deadline link](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#behavior-during-updates) | | [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md) | Updated the [Update policies](../references/windows-autopatch-microsoft-365-policies.md#update-policies) section | -## June service release +## June service releases | Message center post number | Description | | ----- | ----- | @@ -40,7 +40,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. ## May 2023 -### May feature release +### May feature releases or updates | Article | Description | | ----- | ----- | @@ -68,7 +68,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview | | [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview | -## May service release +## May service releases | Message center post number | Description | | ----- | ----- | @@ -82,7 +82,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | ----- | ----- | | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the [Deployment rings for Windows 10 and later](../references/windows-autopatch-changes-to-tenant.md#deployment-rings-for-windows-10-and-later) section | -### April service release +### April service releases | Message center post number | Description | | ----- | ----- | @@ -100,7 +100,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | | | [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview| -### March service release +### March service releases | Message center post number | Description | | ----- | ----- | @@ -124,7 +124,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] | | [Register your devices](../deploy/windows-autopatch-register-devices.md) | | -### February service release +### February service releases | Message center post number | Description | | ----- | ----- | @@ -143,7 +143,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment | | [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section | -### January service release +### January service releases | Message center post number | Description | | ----- | ----- | From b239b9e6a16e0c068359200d73577a885382610f Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 23 Jun 2023 12:24:00 -0700 Subject: [PATCH 7/7] tweak --- .../whats-new/windows-autopatch-whats-new-2023.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index abe564662b..3b55ade168 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -31,7 +31,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated [deadline link](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#behavior-during-updates) | | [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md) | Updated the [Update policies](../references/windows-autopatch-microsoft-365-policies.md#update-policies) section | -## June service releases +### June service releases | Message center post number | Description | | ----- | ----- | @@ -68,7 +68,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview | | [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview | -## May service releases +### May service releases | Message center post number | Description | | ----- | ----- |