diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md index 2859223cc7..8f3cdce242 100644 --- a/includes/configure/gpo-settings-1.md +++ b/includes/configure/gpo-settings-1.md @@ -1,6 +1,9 @@ --- -ms.date: 06/21/2023 +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the settings located under \ No newline at end of file diff --git a/includes/configure/gpo-settings-2.md b/includes/configure/gpo-settings-2.md index cc0cad6c72..bf8ee52309 100644 --- a/includes/configure/gpo-settings-2.md +++ b/includes/configure/gpo-settings-2.md @@ -1,6 +1,9 @@ --- -ms.date: 11/08/2022 +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups. \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md index d911751e75..60125a46d1 100644 --- a/includes/configure/intune-custom-settings-1.md +++ b/includes/configure/intune-custom-settings-1.md @@ -1,6 +1,9 @@ --- -ms.date: 02/22/2022 +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- To configure devices with Microsoft Intune, use a custom policy: diff --git a/includes/configure/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md index 1a601acaa7..03977b7a0d 100644 --- a/includes/configure/intune-custom-settings-2.md +++ b/includes/configure/intune-custom-settings-2.md @@ -1,6 +1,9 @@ --- -ms.date: 11/08/2022 +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- 7. Select **Next** diff --git a/includes/configure/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md index 8ff9da4294..8f406cf058 100644 --- a/includes/configure/intune-custom-settings-info.md +++ b/includes/configure/intune-custom-settings-info.md @@ -1,6 +1,9 @@ --- -ms.date: 11/08/2022 +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md index 713555d40b..9aae47a0fa 100644 --- a/includes/configure/intune-settings-catalog-1.md +++ b/includes/configure/intune-settings-catalog-1.md @@ -1,6 +1,9 @@ --- -ms.date: 06/21/2023 +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- To configure devices using Microsoft Intune, [create a *Settings catalog policy*](/mem/intune/configuration/settings-catalog) and use the following settings: \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-2.md b/includes/configure/intune-settings-catalog-2.md index ebd6a2e1ef..287d5ebbf1 100644 --- a/includes/configure/intune-settings-catalog-2.md +++ b/includes/configure/intune-settings-catalog-2.md @@ -1,6 +1,9 @@ --- -ms.date: 11/08/2022 +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- Assign the policy to a group that contains as members the devices or users that you want to configure. \ No newline at end of file diff --git a/includes/configure/tab-intro.md b/includes/configure/tab-intro.md index e195a9281a..a818e4df8b 100644 --- a/includes/configure/tab-intro.md +++ b/includes/configure/tab-intro.md @@ -1,6 +1,9 @@ --- -ms.date: 02/22/2022 +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- The following instructions provide details how to configure your devices. Select the option that best suits your needs. \ No newline at end of file diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md index 7bc080da18..a5798f2f02 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md @@ -2,7 +2,7 @@ title: Understand Windows Defender Application Control (WDAC) policy rules and file rules description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers. ms.localizationpriority: medium -ms.date: 06/07/2023 +ms.date: 08/11/2023 ms.topic: article --- @@ -127,7 +127,7 @@ Filepath rules don't provide the same security guarantees that explicit signer r ### User-writable filepaths -By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) don't allow standard users write access. +By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath only allow write access for admin users. There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described earlier. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index b7b8a64228..7882589fd0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -22,7 +22,7 @@ If you're a customer of *Azure US Government* cloud, PIN reset also attempts to ### Resolve PIN Reset allowed domains issue -To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices). +To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Azure AD joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices). ## Hybrid key trust sign in broken due to user public key deletion diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index e2c5e5c7c4..9f0e8d48ae 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,166 +1,117 @@ --- -title: Pin Reset -description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. +title: PIN reset +description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN. ms.collection: - highpri - tier1 -ms.date: 07/03/2023 +ms.date: 08/15/2023 ms.topic: how-to --- # PIN reset -Windows Hello for Business provides the capability for users to reset forgotten PINs using the *I forgot my PIN* link from the Sign-in options page in *Settings* or from the Windows lock screen. Users are required to authenticate and complete multi-factor authentication to reset their PIN. +This article describes how *Microsoft PIN reset service* enables your users to recover a forgotten Windows Hello for Business PIN. -There are two forms of PIN reset: +## Overview -- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new login key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration. -- **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature. -## Using PIN reset +Windows Hello for Business provides the capability for users to reset forgotten PINs. There are two forms of PIN reset: -There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. +- *Destructive PIN reset*: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration +- *Non-destructive PIN reset*: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the *Microsoft PIN reset service* and configure your clients' policy to enable the *PIN recovery* feature -Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. - ->[!IMPORTANT] ->For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. - -### Reset PIN from Settings - -1. Sign-in to Windows 10 using an alternate credential. -1. Open **Settings**, select **Accounts** > **Sign-in options**. -1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions. - -### Reset PIN above the Lock Screen - -For Azure AD-joined devices: - -1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon. -1. Select **I forgot my PIN** from the PIN credential provider. -1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (like Password, PIN, Security key). -1. Follow the instructions provided by the provisioning process. -1. When finished, unlock your desktop using your newly created PIN. - -For Hybrid Azure AD-joined devices: - -1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon. -1. Select **I forgot my PIN** from the PIN credential provider. -1. Enter your password and press enter. -1. Follow the instructions provided by the provisioning process. -1. When finished, unlock your desktop using your newly created PIN. - -> [!NOTE] -> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. - -You may find that PIN reset from settings only works post login. Also, the lock screen PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). - -## Non-Destructive PIN reset +## How non-destructive PIN reset works **Requirements:** -- Azure Active Directory -- Windows Enterprise and Pro editions. There's no licensing requirement for this feature. -- Hybrid Windows Hello for Business deployment -- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined +- Hybrid or cloud-only Windows Hello for Business deployments +- Windows Enterprise, Education and Pro editions. There's no licensing requirement for this feature -When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory. +When non-destructive PIN reset is enabled on a client, a *256-bit AES* key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the *PIN reset protector*. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory. -Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment. +Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the Microsoft PIN reset service, which enables users to reset their forgotten PIN without requiring re-enrollment. ->[!IMPORTANT] -> The Microsoft PIN Reset service is not currently available in Azure Government. +The following table compares destructive and non-destructive PIN reset: -### Summary - -|Category|Destructive PIN Reset|Non-Destructive PIN Reset| +|Category|Destructive PIN reset|Non-Destructive PIN reset| |--- |--- |--- | -|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| -|**Windows editions and versions**| Windows Enterprise and Pro editions.| +|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust| -|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| -|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| -|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| +|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this option from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| +|**On Premises**|If AD FS is used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for hybrid Azure AD joined and Azure AD Joined devices.| +|**Additional configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| -### Onboarding the Microsoft PIN reset service to your Intune tenant +## Enable the Microsoft PIN Reset Service in your Azure AD tenant -> The **Microsoft PIN Reset Service** is not currently available in Azure Government. +Before you can use non-destructive PIN reset, you must register two applications in your Azure Active Directory tenant: -### Enable the Microsoft PIN Reset Service in your Azure AD tenant +- Microsoft Pin Reset Service Production +- Microsoft Pin Reset Client Production -Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant: +To register the applications, follow these steps: -- PIN Reset Service -- PIN Reset Client +:::row::: + :::column span="3"::: + 1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization + :::column-end::: + :::column span="1"::: + :::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pinreset/pin-reset-service-prompt.png" lightbox="images/pinreset/pin-reset-service-prompt.png" border="true"::: + :::column-end::: +:::row-end::: +:::row::: + :::column span="3"::: + 2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**. + :::column-end::: + :::column span="1"::: + :::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pinreset/pin-reset-client-prompt.png" lightbox="images/pinreset/pin-reset-client-prompt.png" border="true"::: + :::column-end::: +:::row-end::: +:::row::: + :::column span="3"::: + 3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization + :::column-end::: + :::column span="1"::: + :::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true"::: + :::column-end::: +:::row-end::: -#### Connect Azure Active Directory with the PIN Reset Service +### Confirm that the two PIN Reset service principals are registered in your tenant -1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. -1. After you've logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization. - ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) - -#### Connect Azure Active Directory with the PIN Reset Client - -1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. -1. After you've logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization. - ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) - -#### Confirm that the two PIN Reset service principals are registered in your tenant - -1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**. -1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list. +1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com) +1. Select **Azure Active Directory > Applications > Enterprise applications** +1. Search by application name "Microsoft PIN" and verify that both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** are in the list :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png"::: -### Enable PIN Recovery on your devices +## Enable PIN recovery on the clients -Before you can remotely reset PINs, your devices must be configured to enable PIN Recovery. Follow the instructions below to configure your devices using either Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP). +To enable PIN recovery on the clients, you can use: + +- Microsoft Intune/MDM +- Group policy + +The following instructions provide details how to configure your devices. Select the option that best suits your needs. #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) -You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune. +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Configuration profiles** > **Create profile**. -1. Enter the following properties: - - **Platform**: Select **Windows 10 and later**. - - **Profile type**: Select **Settings catalog**. -1. Select **Create**. -1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile. - - **Description**: Enter a description for the profile. This setting is optional, but recommended. -1. Select **Next**. -1. In **Configuration settings**, select **Add settings**. -1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**. -1. Configure **Enable Pin Recovery** to **true**. -1. Select **Next**. -1. In **Scope tags**, assign any applicable tags (optional). -1. Select **Next**. -1. In **Assignments**, select the security groups that will receive the policy. -1. Select **Next**. -1. In **Review + create**, review your settings and select **Create**. +| Category | Setting name | Value | +|--|--|--| +| **Windows Hello For Business** | Enable Pin Recovery | True | + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] >[!NOTE] > You can also configure PIN recovery from the **Endpoint security** blade: -> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -> 1. Select **Endpoint security** > **Account protection** > **Create Policy**. +> +> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +> 1. Select **Endpoint security > Account protection > Create Policy** -#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) +Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1]. -You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO). - -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. -1. Edit the Group Policy object from Step 1. -1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. -1. Close the Group Policy Management Editor to save the Group Policy object. - -#### [:::image type="icon" source="../../images/icons/windows-os.svg"::: **CSP**](#tab/CSP) - -You can configure Windows devices to use the **Microsoft PIN Reset Service** using the [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). - -- OMA-URI: `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery` -- Data type: **Boolean** -- Value: **True** +| OMA-URI |Data type| Value| +|-|-|-| +| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | Tue | >[!NOTE] > You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:: @@ -169,6 +120,16 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi GET https://graph.microsoft.com/v1.0/organization?$select=id ``` +#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**: + +| Group policy setting | Value | +| - | - | +| **Use PIN Recovery** | **Enabled** | + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + --- #### Confirm that PIN Recovery policy is enforced on the devices @@ -177,7 +138,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a **Sample User state Output for Destructive PIN Reset** -```console +```cmd +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ @@ -196,7 +157,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a **Sample User state Output for Non-Destructive PIN Reset** -```console +```cmd +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ @@ -213,49 +174,72 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a +----------------------------------------------------------------------+ ``` -## Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices +## Configure allowed URLs for federated identity providers on Azure AD joined devices -**Applies to:** +**Applies to:** Azure AD joined devices -- Azure AD joined devices +PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\ +If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset. -The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then this policy should be set. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset. +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] -### Configure Web Sign-in Allowed URLs using Microsoft Intune +| Category | Setting name | Value | +|--|--|--| +| **Authentication** | Configure Web Sign In Allowed Urls | Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**| -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. Select **Devices** > **Configuration profiles** > **Create profile** -1. Enter the following properties: - - **Platform**: Select **Windows 10 and later** - - **Profile type**: Select **Templates** - - In the list of templates that is loaded, select **Custom** > **Create** -1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile - - **Description**: Enter a description for the profile. This setting is optional, but recommended -1. Select **Next** -1. In **Configuration settings**, select **Add** and enter the following settings: - - Name: **Web Sign In Allowed URLs** - - Description: **(Optional) List of domains that are allowed during PIN reset flows** - - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` - - Data type: **String** - - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** - :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png"::: -1. Select **Save** > **Next** -1. In **Assignments**, select the security groups that will receive the policy -1. Select **Next** -1. In **Applicability Rules**, select **Next** -1. In **Review + create**, review your settings and select **Create** +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-2]. + +| Setting | +|--------| +|
  • OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
  • Data type: String
  • Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**
    • | > [!NOTE] > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. -## Related articles +## Use PIN reset -- [Windows Hello for Business](hello-identity-verification.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +Destructive and non-destructive PIN reset scenarios use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen with the *PIN credential provider*. Users must authenticate and complete multi-factor authentication to reset their PIN. After PIN reset is complete, users can sign in using their new PIN. + +>[!IMPORTANT] +>For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. + +### Reset PIN from Settings + +1. Sign-in to Windows 10 using an alternate credential +1. Open **Settings > Accounts > Sign-in options** +1. Select **PIN (Windows Hello) > I forgot my PIN** and follow the instructions + +### Reset PIN from the lock screen + +For Azure AD-joined devices: + +1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon +1. Select **I forgot my PIN** from the PIN credential provider +1. Select an authentication option from the list of presented options. This list is based on the different authentication methods enabled in your tenant (like Password, PIN, Security key) +1. Follow the instructions provided by the provisioning process +1. When finished, unlock your desktop using your newly created PIN + +:::image type="content" alt-text="Animation showing the PIN reset experience from the lock screen." source="images/pinreset/pin-reset.gif" border="false"::: + +For Hybrid Azure AD-joined devices: + +1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon +1. Select **I forgot my PIN** from the PIN credential provider +1. Enter your password and press enter +1. Follow the instructions provided by the provisioning process +1. When finished, unlock your desktop using your newly created PIN + +> [!NOTE] +> Key trust on hybrid Azure AD-joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. + +You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). + + + +[CSP-1]: /windows/client-management/mdm/passportforwork-csp +[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls +[INT-1]: /mem/intune/configuration/settings-catalog +[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&redirect_uri=https%3A%2F%2Fcred.microsoft.com&prompt=admin_consent +[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&prompt=admin_consent diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png deleted file mode 100644 index df2fc5634a..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png deleted file mode 100644 index 35eee9bc5e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png index 2bfb558bbf..d5c3416a67 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png new file mode 100644 index 0000000000..86d43fcb2c Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png index 39f21df392..755c1b66e0 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif new file mode 100644 index 0000000000..2ef07cd63c Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif differ diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index d19b1a018c..ad2fc7674a 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -110,9 +110,9 @@ items: href: hello-and-password-changes.md - name: Windows Hello for Business features items: - - name: PIN Reset + - name: PIN reset href: hello-feature-pin-reset.md - - name: Dual Enrollment + - name: Dual enrollment href: hello-feature-dual-enrollment.md - name: Dynamic Lock href: hello-feature-dynamic-lock.md diff --git a/windows/security/index.yml b/windows/security/index.yml index 87f86555e8..f2bdfb4f6c 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -73,7 +73,7 @@ productDirectory: links: - url: /windows/security/identity-protection/hello-for-business text: Windows Hello for Business - - url: /windows/security/identity-protection/credential-guard/credentail-guard + - url: /windows/security/identity-protection/credential-guard/credential-guard text: Windows Defender Credential Guard - url: /windows-server/identity/laps/laps-overview text: Windows LAPS (Local Administrator Password Solution)