feature rename

windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg

@@ -0,0 +1,11 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M1.81653 0H18.1835C19.1859 0 20 0.814095 20 1.81653V18.1835C20 19.1859 19.1859 20 18.1835 20H1.81653C0.814095 20 0 19.1859 0 18.1835V1.81653C0 0.814095 0.814095 0 1.81653 0Z" fill="#605E5C"/>
+<g clip-path="url(#clip0_111_2097)">
+<path d="M11.027 8.93146C10.9795 9.21812 11.061 9.51843 11.2714 9.73002L14.4419 12.9174C14.5641 13.0403 14.6252 13.1973 14.6252 13.3679V14.4736C14.6252 14.5418 14.5709 14.6033 14.4962 14.6033H13.2267C13.1588 14.6033 13.0977 14.5487 13.0977 14.4736V13.7092C13.0977 13.3542 12.8125 13.0676 12.4595 13.0676H11.5702V12.1735C11.5702 11.8186 11.285 11.5319 10.932 11.5319H10.0426V11.1497C10.0426 11.02 9.98153 10.904 9.8729 10.8289C9.76428 10.7606 9.6285 10.747 9.51309 10.7948C9.19401 10.9313 8.84098 11.02 8.49474 11.02C7.08263 11.02 5.9285 9.86652 5.9285 8.44004C5.9285 7.01355 7.06905 5.91468 8.49474 5.91468C9.92043 5.91468 11.061 7.06815 11.061 8.49464C11.061 8.63115 11.0406 8.76765 11.0135 8.92463L11.027 8.93146ZM5.17493 8.45369C5.17493 10.2965 6.6685 11.7981 8.50153 11.7981C8.77309 11.7981 9.03786 11.7571 9.28905 11.6957C9.30263 12.037 9.58098 12.31 9.92043 12.31H10.8098V13.2041C10.8098 13.559 11.0949 13.8457 11.4479 13.8457H12.3373V14.4872C12.3373 14.9787 12.7379 15.3814 13.2267 15.3814H14.4962C14.985 15.3814 15.3856 14.9787 15.3856 14.4872V13.3815C15.3856 13.0062 15.2362 12.6512 14.9782 12.3919L11.8078 9.20447C11.8078 9.20447 11.7602 9.12939 11.7738 9.08162C11.8078 8.90416 11.8281 8.71305 11.8281 8.51512C11.8281 6.65864 10.3413 5.15707 8.50153 5.15707C6.66171 5.15707 5.17493 6.59721 5.17493 8.45369ZM7.74116 7.04768C8.09419 7.04768 8.37933 7.33434 8.37933 7.68926C8.37933 8.04417 8.09419 8.33083 7.74116 8.33083C7.38814 8.33083 7.103 8.04417 7.103 7.68926C7.103 7.33434 7.38814 7.04768 7.74116 7.04768Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_111_2097">
+<rect width="10.2106" height="10.2106" fill="white" transform="translate(5.17493 5.15707)"/>
+</clipPath>
+</defs>
+</svg>

windows/security/identity-protection/passwordless-experience/index.md

@@ -0,0 +1,146 @@
+---
+title: Windows passwordless experience
+description: Learn how Windows passwordless experience enables your organization to move away from passwords.
+ms.collection: 
+  - highpri
+  - tier1
+ms.date: 09/11/2023
+ms.topic: how-to
+---
+
+# Windows passwordless experience
+
+## Overview
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], *Windows passwordless experience* is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.\
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
+
+With Windows passwordless experience, users who sign in with Windows Hello or a FIDO2 security key:
+
+- Can't use the password credential provider on the Windows lock screen
+- Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
+- Don't have the option *Accounts > Change password* in the Settings app
+  
+  >[!NOTE]
+  >Users can reset their password using <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DEL</kbd> > **Manage your account**
+
+Windows passwordless experience doesn't affect the initial sign-in experience and local accounts. It only applies to subsequent sign-ins for Microsoft Entra ID accounts. It also doesn't prevent a user from signing in with a password when using the *Other user* option in the lock screen.\
+The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows passwordless experience isn't about preventing users from using passwords, rather to guide and educate them to not use passwords.
+
+This article explains how to enable Windows passwordless experience and describes the user experiences.
+
+>[!TIP]
+> Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see [Web sign-in for Windows devices](../web-sign-in/index.md).
+
+## System requirements
+
+Windows passwordless experience has the following requirements:
+
+- Windows 11, version 22H2 with [KB5030310][KB-1] or later
+- Microsoft Entra joined
+- Windows Hello for Busines credentials enrolled for the user, or a FIDO2 security key
+- MDM-managed: Microsoft Intune or other MDM solution
+
+>[!NOTE]
+>Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
+
+[!INCLUDE [windows-hello-for-business-passwordless](../../../../includes/licensing/windows-hello-for-business-passwordless.md)]
+
+## Enable Windows passwordless experience with Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Authentication** | Enable Passwordless Experience | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-2] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience`<br>- **Data type:** int<br>- **Value:** `1`|
+
+## User experiences
+
+### Lock screen experience
+
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned off**: users can sign in using a password, as indicated by the presence of the password credential provider  :::image type="icon" source="images/key-credential-provider.svg" border="false"::: in the Windows lock screen.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/lock-screen-off.png" lightbox="images/lock-screen-off.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers.":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned on**: the password credential provider :::image type="icon" source="images/key-credential-provider.svg" border="false"::: is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the *Other user* option to sign in with a password.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/lock-screen-on.png" lightbox="images/lock-screen-on.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint and PIN credential providers only. The password credential provider is missing.":::
+  :::column-end:::
+:::row-end:::
+
+### In-session authentication experiences
+
+When Windows passwordless experience is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include:
+
+- Password Manager in a web browser
+- Connecting to file shares or intranet sites
+- User Account Control (UAC) elevation, except if a local user account is used for elevation
+
+>[!NOTE]
+> RDP sign in defaults to the credential provider used during sign-in. However, a user can select the option *Use a different account* to sign in with a password.
+>
+> *Run as different user* is not impacted by Windows passwordless experience.
+
+Example of UAC elevation experience:
+
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned off**: UAC elevation allows the user to authenticate using a password.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/uac-off.png" lightbox="images/uac-off.png" alt-text="Screenshot of the UAC prompt showing username and password fields.":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned on**: UAC elevation doesn't allow the user to use the password credential provider for the currently logged on user. The user can authenticate using Windows Hello, a FIDO2 security key or a local user account, if available.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/uac-on.png" lightbox="images/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only.":::
+  :::column-end:::
+:::row-end:::
+
+## Recommendations
+
+Here's a list of recommendations to consider before enabling Windows passwordless experience:
+
+- If Windows Hello for Business is enabled, configure the [PIN reset](hello-feature-pin-reset.md) feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with [KB5030310][KB-1]
+- Don't configure the security policy *Interactive logon: Don't display last signed-in*, as it prevents Windows passwordless experience from working
+- Don't disable the password credential provider using the *Exclude credential providers* policy. The key differences between the two policies are:
+  - The Exclude credential providers policy disables passwords for *all accounts*, including local accounts. Windows passwordless experience only applies to Microsoft Entra ID accounts that sign in with Windows Hello or a FIDO2 security key. It also excludes *Other User* from the policy, so users have a backup sign in option
+  - Exclude credential providers policy prevents the use of passwords for RDP and *Run as* authentication scenarios
+- To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the [Windows Local Administrator Password Solution (LAPS)][SERV-1]
+
+## Known issues
+
+There's a known issue affecting the in-session authentication experience when using FIDO2 security keys, which may offer the option to use a password. The product group is aware of the behavior and is investigating further.
+
+## Provide feedback
+
+To provide feedback for Windows passwordless experience, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+
+
+<!--links used in this document-->
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-2]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[SERV-1]: /windows-server/identity/laps/laps-overview
+[UAC-1]: /windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=intune

windows/security/identity-protection/toc.yml

@@ -11,10 +11,12 @@ items:
       href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
     - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
       href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
-    - name: Passkey
-      href: passkey/index.md
     - name: FIDO2 security key 🔗
       href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
+    - name: Windows passwordless experience
+      href: passwordless-experience/index.md
+    - name: Passkey
+      href: passkey/index.md
     - name: Smart Cards
       href: smart-cards/toc.yml
     - name: Virtual smart cards

windows/security/identity-protection/web-sign-in/index.md

@@ -1,6 +1,6 @@
 ---
 title: Web sign-in for Windows devices
-description: Learn how Web sign-in in Windows works and how to configure it.
+description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
 ms.date: 09/13/2023
 ms.topic: how-to
 appliesto:
@@ -148,6 +148,7 @@ Here's a list of important considerations to keep in mind when configuring or us
 - Cached credentials aren't supported with Web sign-in. If the device is offline, the user can't use the Web sign-in credential provider to sign in
 - After sign out, the user isn't displayed in the user selection list
 - Once enabled, the Web sign-in credential provider is the default credential provider for new users signing in to the device. To change the default credential provider, you can use the [DefaultCredentialProvider][WIN-2] ADMX-backed policy
+- The user can exit the Web sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the Windows lock screen
 
 ### Known issues