diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index dc88de7152..f188b5e0ee 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -4,6 +4,7 @@ description: This topic lists new and updated topics in the Microsoft Edge docum ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +localizationpriority: high --- # Change history for Microsoft Edge diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index c2eea7a99c..ee3fbbd2b8 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -21,6 +21,7 @@ ## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) +### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) ## [Surface Data Eraser](microsoft-surface-data-eraser.md) ## [Change history for Surface documentation](change-history-for-surface.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index dd716e83f7..3297316928 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -11,6 +11,14 @@ author: jdeckerMS This topic lists new and updated topics in the Surface documentation library. +## November 2016 + +|New or changed topic | Description | +| --- | --- | +|[Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) | New | + + + ## October 2016 | New or changed topic | Description | diff --git a/devices/surface/images/config-mgr-semm-fig1.png b/devices/surface/images/config-mgr-semm-fig1.png new file mode 100644 index 0000000000..7ff888c2e2 Binary files /dev/null and b/devices/surface/images/config-mgr-semm-fig1.png differ diff --git a/devices/surface/images/config-mgr-semm-fig2.png b/devices/surface/images/config-mgr-semm-fig2.png new file mode 100644 index 0000000000..33836c09eb Binary files /dev/null and b/devices/surface/images/config-mgr-semm-fig2.png differ diff --git a/devices/surface/images/config-mgr-semm-fig3.png b/devices/surface/images/config-mgr-semm-fig3.png new file mode 100644 index 0000000000..c844b60531 Binary files /dev/null and b/devices/surface/images/config-mgr-semm-fig3.png differ diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md new file mode 100644 index 0000000000..1c7e67783b --- /dev/null +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -0,0 +1,415 @@ +--- +title: Use System Center Configuration Manager to manage devices with SEMM (Surface) +description: Find out how to use Microsoft Surface UEFI Manager to perform SEMM management with System Center Configuration Manager. +keywords: enroll, update, scripts, settings +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: KiranDavane +--- + +# Use System Center Configuration Manager to manage devices with SEMM + +The Surface Enterprise Management Mode (SEMM) feature of Surface UEFI devices allows administrators to both manage and secure the configuration of Surface UEFI settings. For most organizations, this process is accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool. These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update the Surface UEFI settings configuration. + +For organizations with System Center Configuration Manager, there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool. + +>[!Note] +>Although the process described in this article may work with earlier versions of System Center Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of System Center Configuration Manager. + +#### Prerequisites + +Before you begin the process outlined in this article, it is expected that you are familiar with the following technologies and tools: + +* [Surface UEFI](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings) +* [Surface Enterprise Management Mode (SEMM)](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode) +* [PowerShell scripting](https://technet.microsoft.com/en-us/scriptcenter/dd742419) +* [System Center Configuration Manager application deployment](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications) +* Certificate management + +>[!Note] +>You will also need access to the certificate that you intend to use to secure SEMM. For details about the requirements for this certificate, see [Surface Enterprise Management Mode certificate requirements](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode#surface-enterprise-management-mode-certificate-requirements). + +>It is very important that this certificate be kept in a safe location and properly backed up. If this certificate becomes lost or unusable, it is not possible to reset Surface UEFI, change managed Surface UEFI settings, or remove SEMM from an enrolled Surface device. + +#### Download Microsoft Surface UEFI Manager + +Management of SEMM with Configuration Manager requires the installation of Microsoft Surface UEFI Manager on each client Surface device. You can download Microsoft Surface UEFI Manager (SurfaceUEFIManager.msi) from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page on the Microsoft Download Center. + +#### Download SEMM scripts for Configuration Manager + +After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) from the TechNet Gallery Script Center. + +## Deploy Microsoft Surface UEFI Manager + +Deployment of Microsoft Surface UEFI Manager is a typical application deployment. The Microsoft Surface UEFI Manager installer file is a standard Windows Installer file that you can install with the [standard quiet option](https://msdn.microsoft.com/library/windows/desktop/aa367988). + +The command to install Microsoft Surface UEFI Manager is: + +`msiexec /i “SurfaceUEFIManagerSetup.msi” /q` + +The command to uninstall Microsoft Surface UEFI Manager is: + +`msiexec /x {541DA890-1AEB-446D-B3FD-D5B3BB18F9AF} /q` + +To create a new application and deploy it to a collection that contains your Surface devices, perform the following steps: + +1. Open Configuration Manager Console from the Start screen or Start menu. +2. Click **Software Library** in the bottom left corner of the window. +3. Expand the Application Management node of the Software Library, and then click **Applications**. +4. Click the **Create Application** button under the **Home** tab at the top of the window. This starts the Create Application Wizard. +5. The Create Application Wizard presents a series of steps: + + * **General** – The **Automatically detect information about this application from installation files** option is selected by default. In the **Type** field, **Windows Installer (*.msi file)** is also selected by default. Click **Browse** to navigate to and select **SurfaceUEFIManagerSetup.msi**, and then click **Next**. + + >[!Note] + >The location of SurfaceUEFIManagerSetup.msi must be on a network share and located in a folder that contains no other files. A local file location cannot be used. + + * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Click **Next** to proceed. + + + ![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed") + + *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed* + + * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Click Next to proceed. + * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Click **Next** to confirm your selections and create the application. + * **Progress** – Displays a progress bar and status as the application is imported and added to the Software Library. + * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard. + +After the application is created in Configuration Manager, you can distribute it to your distribution points and deploy it to the collections including your Surface devices. This application will not install or enable SEMM on the Surface device – it only provides the assemblies required for SEMM to be enabled via PowerShell script. + +If you do not want to install the Microsoft Surface UEFI Manager assemblies on devices that will not be managed with SEMM, you can configure Microsoft Surface UEFI Manager as a dependency of the SEMM Configuration Manager scripts. This scenario is covered in the [Deploy SEMM Configuration Manager Scripts](#deploy-semm-configuration-manager-scripts) section later in this article. + +## Create or modify the SEMM Configuration Manager scripts + +After the required assemblies have been installed on the devices, the process of enrolling the devices in SEMM and configuring Surface UEFI is done with PowerShell scripts and deployed as a script application with Configuration Manager. These scripts can be modified to fit the needs of your organization and environment. For example, you can create multiple configurations for managed Surface devices in different departments or roles. You can download samples of the scripts for SEMM and Configuration Manager at the link in the [Prerequisites](#prerequisites) section at the beginning of this article. + +There are two primary scripts you will need to perform a SEMM deployment with Configuration Manager: + +* **ConfigureSEMM.ps1** – Use this script to create configuration packages for your Surface devices with your desired Surface UEFI settings, to apply the specified settings to a Surface device, to enroll the device in SEMM, and to set a registry key used to identify the enrollment of the device in SEMM. +* **ResetSEMM.ps1** – Use this script to reset SEMM on a Surface device, which unenrolls it from SEMM and removes the control over Surface UEFI settings. + +The sample scripts include examples of how to set Surface UEFI settings and how to control permissions to those settings. These settings can be modified to secure Surface UEFI and set Surface UEFI settings according to the needs of your environment. The following sections of this article explain the ConfigureSEMM.ps1 script and explore the modifications you need to make to the script to fit your requirements. + +>[!NOTE] +>The SEMM Configuration Manager scripts and the exported SEMM certificate file (.pfx) should be placed in the same folder with no other files before they are added to Configuration Manager. + +### Specify certificate and package names + +The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates the names for the SEMM configuration package and SEMM reset package. The certificate and package names are specified on lines 56 through 67 in the ConfigureSEMM.ps1 script: + + ``` + 56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition + 57 $packageRoot = "$WorkingDirPath\Config" + 58 + 59 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot } + 60 Copy-Item "$WorkingDirPath\FabrikamOwnerSigner.pfx" $packageRoot + 61 + 62 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath "FabrikamOwnerSigner.pfx" + 63 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamSignerProvisioningPackage.pkg" + 64 $resetPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamUniversalResetPackage.pkg" + 65 + 66 # If your PFX file requires a password then it can be set here, otherwise use a blank string. + 67 $password = "1234" + ``` + +Replace the **FabrikamOwnerSigner.pfx** value for the **$privateOwnerKey** variable with the name of your SEMM Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory. + +Replace the **FabrikamSignerProvisioningPackage.pkg** and **FabrikamUniversalResetPackage.pkg** values on lines 63 and 64 to define the **$ownerPackageName** and **$resetPackageName** variables with your desired names for the SEMM configuration and reset packages. These packages will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script. + +On line 67, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text. + +>[!Note] +>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 144-149, to accomplish this: + +``` +144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership. +145 # For convenience we get the thumbprint here and present to the user. +146 $pw = ConvertTo-SecureString $password -AsPlainText -Force +147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 +148 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet) +149 Write-Host "Thumbprint =" $certPrint.Thumbprint +``` + +Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process: + +1. Right-click the .pfx file, and then click **Open**. +2. Expand the folder in the navigation pane. +3. Click **Certificates**. +4. Right-click your certificate in the main pane, and then click **Open**. +5. Click the **Details** tab. +6. **All** or **Properties Only** must be selected in the **Show** drop-down menu. +7. Select the field **Thumbprint**. + +>[!NOTE] +>The SEMM certificate name and password must also be entered in this section of the ResetSEMM.ps1 script to enable Configuration Manager to remove SEMM from the device with the uninstall action. + +### Configure permissions + +The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 202 in the sample script with the comment **# Configure Permissions** and continues to line 238. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras: + +``` +202 # Configure Permissions +203 foreach ($uefiV2 IN $surfaceDevices.Values) { +204 # Here we define which "identities" will be allowed to modify which settings +205 # PermissionSignerOwner = The primary SEMM enterprise owner identity +206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI +207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 = +208 # Additional user identities created so that the signer owner +209 # can delegate permission control for some settings. +210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner +211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal) +212 +213 # Make all permissions owner only by default +214 foreach ($setting IN $uefiV2.Settings.Values) { +215 $setting.ConfiguredPermissionFlags = $ownerOnly +216 } +217 # Allow the local user to change their own password +218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser +219 +220 # Allow the local user to change the state of the TPM +221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser +222 +223 # Allow the local user to change the state of the Front and Rear cameras +224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser +225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser +226 +227 +228 # Create a unique package name based on family and LSV. +229 # We will choose a name that can be parsed by later scripts. +230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg" +231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName +232 +233 # Build and sign the Permission package then save it to a file. +234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv) +235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) +236 $permissionPackageStream.CopyTo($permissionPackage) +237 $permissionPackage.Close() +238 } +``` + +Each **$uefiV2** variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions to one of the following values: + +* **$ownerOnly** – Permission to modify this setting is granted only to SEMM. +* **$ownerAndLocalUser** – Permission to modify this setting is granted to a local user booting to Surface UEFI, as well as to SEMM. + +You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section of this article. + +### Configure settings + +The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 282 through line 312 in the sample script. The region appears as follows: + +``` +282 # Configure Settings +283 foreach ($uefiV2 IN $surfaceDevices.Values) { +284 # In this demo, we will start by setting every setting to the default factory setting. +285 # You may want to start by doing this in your scripts +286 # so that every setting gets set to a known state. +287 foreach ($setting IN $uefiV2.Settings.Values) { +288 $setting.ConfiguredValue = $setting.DefaultValue +289 } +290 +291 # If you want to set something to a different value from the default, +292 # here are examples of how to accomplish this. +293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled" +294 +295 # If you want to leave the setting unmodified, set it to $null +296 # PowerShell has issues setting things to $null so ClearConfiguredValue() +297 # is supplied to do this explicitly. +298 # Here is an example of leaving the UEFI administrator password as-is, +299 # even after we initially set it to factory default above. +300 $uefiV2.SettingsById[501].ClearConfiguredValue() +301 +302 # Create a unique package name based on family and LSV. +303 # We will choose a name that can be parsed by later scripts. +304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg" +305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName +306 +307 # Build and sign the Settings package then save it to a file. +308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv) +309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) +310 $settingsPackageStream.CopyTo($settingsPackage) +311 $settingsPackage.Close() +312 } +``` + +Like the permissions set in the **Configure Permissions** section of the script, the configuration of each Surface UEFI setting is performed by defining the **$uefiV2** variable. For each line defining the **$uefiV2** variable, a Surface UEFI setting is identified by setting name or ID and the configured value is set to **Enabled** or **Disabled**. + +If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**. + +You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section later in this article. + +### Settings registry key + +To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can be found at the following location: + +`HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000` + +The following code fragment, found on lines 352-363, is used to write this registry key: + +``` +352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM" +353 New-RegKey $SurfaceRegKey +354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue +355 +356 If ($SurfaceRegValue -eq $null) +357 { +358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null +359 } +360 Else +361 { +362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1 +363 } +``` + +### Settings names and IDs + +To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from [SEMM management scripts for Configuration Manager](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) in the TechNet Gallery Script Center. + +The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. + +The following tables show the available settings for Surface Pro 4 and Surface Book: + +*Table 1. Surface UEFI settings for Surface Pro 4* + +| Setting ID | Setting Name | Description | Default Setting | +| --- | --- | --- | --- | +|501| Password | UEFI System Password | | +|200| Secure Boot Keys | Secure Boot signing keys to enable for EFI applications | MsPlus3rdParty | +|300| Trusted Platform Module (TPM) | TPM device enabled or disabled | Enabled | +|301| Docking USB Port | Docking USB Port enabled or disabled | Enabled | +|302| Front Camera | Front Camera enabled or disabled | Enabled | +|303| Bluetooth | Bluetooth radio enabled or disabled | Enabled | +|304| Rear Camera | Rear Camera enabled or disabled | Enabled | +|305| IR Camera | InfraRed Camera enabled or disabled | Enabled | +|308| Wi-Fi and Bluetooth | Wi-Fi and Bluetooth enabled or disabled | Enabled | +|310| Type Cover | Surface Type Cover connector | Enabled | +|320| On-board Audio | On-board audio enabled or disabled | Enabled | +|330| Micro SD Card | Micro SD Card enabled or disabled | Enabled | +|370| USB Port 1 | Side USB Port (1) | UsbPortEnabled | +|400| IPv6 for PXE Boot | Enable IPv6 PXE boot before IPv4 PXE boot |Disabled | +|401| Alternate Boot | Alternate Boot allows users to override the boot order by holding the volume down button when powering up the device | Enabled | +|402| Boot Order Lock | Boot Order variable lock enabled or disabled | Disabled | +|403| USB Boot | Enable booting from USB devices | Enabled | +|500| TPM clear EFI protocol | Enable EFI protocol for invoking TPM clear | Disabled | +|600| Security | UEFI Security Page Display enabled or disabled | Enabled | +|601| Devices | UEFI Devices Page Display enabled or disabled | Enabled | +|602| Boot | UEFI Boot Manager Page Display enabled or disabled | Enabled | + +*Table 2. Surface UEFI settings for Surface Book* + +| Setting ID | Setting Name | Description | Default Setting | +| --- | --- | --- | --- | +| 501 | Password | UEFI System Password | | +| 200 | Secure Boot Keys | Secure Boot signing keys to enable for EFI applications | MsPlus3rdParty | +| 300 | Trusted Platform Module (TPM) | TPM device enabled or disabled | Enabled | +| 301 | Docking USB Port | Docking USB Port enabled or disabled | Enabled | +| 302 | Front Camera | Front Camera enabled or disabled | Enabled | +| 303 | Bluetooth | Bluetooth radio enabled or disabled | Enabled | +| 304 | Rear Camera | Rear Camera enabled or disabled | Enabled | +| 305 | IR Camera | InfraRed Camera enabled or disabled | Enabled | +| 308 | Wi-Fi and Bluetooth | Wi-Fi and Bluetooth enabled or disabled | Enabled | +| 320 | On-board Audio | On-board audio enabled or disabled | Enabled | +| 400 | IPv6 for PXE Boot Enable | IPv6 PXE boot before IPv4 PXE boot | Disabled | +| 401 | Alternate Boot | Alternate Boot allows users to override the boot order by holding the volume down button when powering up the device | Enabled | +| 402 | Boot Order Lock | Boot Order variable lock enabled or disabled | Disabled | +| 403 | USB Boot | Enable booting from USB devices | Enabled | +| 500 | TPM clear EFI protocol | Enable EFI protocol for invoking TPM clear | Disabled | +| 600 | Security | UEFI Security Page Display enabled or disabled | Enabled | +| 601 | Devices | UEFI Devices Page Display enabled or disabled | Enabled | +| 602 | Boot | UEFI Boot Manager Page Display enabled or disabled | Enabled | + +## Deploy SEMM Configuration Manager scripts + +After your scripts are prepared to configure and enable SEMM on the client device, the next step is to add these scripts as an application in Configuration Manager. Before you open Configuration Manager, ensure that the following files are in a shared folder that does not include other files: + +* ConfigureSEMM.ps1 +* ResetSEMM.ps1 +* Your SEMM certificate (for example SEMMCertificate.pfx) + +The SEMM Configuration Manager scripts will be added to Configuration Manager as a script application. The command to install SEMM with ConfigureSEMM.ps1 is: + +`Powershell.exe -file “.\ConfigureSEMM.ps1”` + +The command to uninstall SEMM with ResetSEMM.ps1 is: + +`Powershell.exe -file “.\ResetSEMM.ps1”` + +To add the SEMM Configuration Manager scripts to Configuration Manager as an application, use the following process: + +1. Start the Create Application Wizard using Step 1 through Step 5 from the [Deploy Microsoft Surface UEFI Manager](#deploy-microsoft-surface-uefi-manager) section earlier in this article. + +2. Proceed through The Create Application Wizard as follows: + + - **General** – Select **Manually specify the application information**, and then click **Next**. + + - **General Information** – Enter a name for the application (for example SEMM) and any other information you want such as publisher, version, or comments on this page. Click **Next** to proceed. + + - **Application Catalog** – The fields on this page can be left with their default values. Click **Next**. + + - **Deployment Types** – Click **Add** to start the Create Deployment Type Wizard. + + - Proceed through the steps of the Create Deployment Type Wizard, as follows: + + * **General** – Click **Script Installer** from the **Type** drop-down menu. The **Manually specify the deployment type information** option will automatically be selected. Click **Next** to proceed. + * **General Information** – Enter a name for the deployment type (for example SEMM Configuration Scripts), and then click **Next** to continue. + * **Content** – Click **Browse** next to the **Content Location** field, and then click the folder where your SEMM Configuration Manager scripts are located. In the **Installation Program** field, type the [installation command](#deploy-semm-configuration-manager-scripts) found earlier in this article. In the **Uninstall Program** field, enter the [uninstallation command](#deploy-semm-configuration-manager-scripts) found earlier in this article (shown in Figure 2). Click **Next** to move to the next page. + + ![Set the SEMM Configuration Manager scripts as the install and uninstall commands](images/config-mgr-semm-fig2.png "Set the SEMM Configuration Manager scripts as the install and uninstall commands") + + *Figure 2. Set the SEMM Configuration Manager scripts as the install and uninstall commands* + + * **Detection Method** – Click **Add Clause** to add the SEMM Configuration Manager script registry key detection rule. The **Detection Rule** window is displayed, as shown in Figure 3. Use the following settings: + + - Click **Registry** from the **Setting Type** drop-down menu. + - Click **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu. + - Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field. + - Enter **Enabled_Version1000** in the **Value** field. + - Click **String** from the **Data Type** drop-down menu. + - Click the **This registry setting must satisfy the following rule to indicate the presence of this application** button. + - Enter **1** in the **Value** field. + - Click **OK** to close the **Detection Rule** window. + + ![Use a registry key to identify devices enrolled in SEMM](images/config-mgr-semm-fig3.png "Use a registry key to identify devices enrolled in SEMM") + + *Figure 3. Use a registry key to identify devices enrolled in SEMM* + + * Click **Next** to proceed to the next page. + + * **User Experience** – Click **Install for system** from the **Installation Behavior** drop-down menu. If you want your users to record and enter the certificate thumbprint themselves, leave the logon requirement set to **Only when a user is logged on**. If you want your administrators to enter the thumbprint for users and the users do not need to see the thumbprint, click **Whether or not a user is logged on** from the **Logon Requirement** drop-down menu. + + * **Requirements** – The ConfigureSEMM.ps1 script automatically verifies that the device is a Surface device before attempting to enable SEMM. However, if you intend to deploy this script application to a collection with devices other than those to be managed with SEMM, you could add requirements here to ensure this application would run only on Surface devices or devices you intend to manage with SEMM. Click **Next** to continue. + + * **Dependencies** – Click **Add** to open the **Add Dependency** window. + + * Click **Add** to open the **Specify Required Application** window. + + - Enter a name for the SEMM dependencies in the **Dependency Group Name** field (for example, *SEMM Assemblies*). + + - Click **Microsoft Surface UEFI Manager** from the list of **Available Applications** and the MSI deployment type, and then click **OK** to close the **Specify Required Application** window. + + * Keep the **Auto Install** check box selected if you want Microsoft Surface UEFI Manager installed automatically on devices when you attempt to enable SEMM with the Configuration Manager scripts. Click **OK** to close the **Add Dependency** window. + + * Click **Next** to proceed. + + * **Summary** – The information you have entered throughout the Create Deployment Type wizard is displayed on this page. Click **Next** to confirm your selections. + + * **Progress** – A progress bar and status as the deployment type is added for the SEMM script application is displayed on this page. + + * **Completion** – Confirmation of the deployment type creation is displayed when the process is complete. Click **Close** to finish the Create Deployment Type Wizard. + + * **Summary** – The information that you entered throughout the Create Application Wizard is displayed. Click **Next** to create the application. + + * **Progress** – A progress bar and status as the application is added to the Software Library is displayed on this page. + + * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard. + +After the script application is available in the Software Library of Configuration Manager, you can distribute and deploy SEMM using the scripts you prepared to devices or collections. If you have configured the Microsoft Surface UEFI Manager assemblies as a dependency that will be automatically installed, you can deploy SEMM in a single step. If you have not configured the assemblies as a dependency, they must be installed on the devices you intend to manage before you enable SEMM. + +When you deploy SEMM using this script application and with a configuration that is visible to the end user, the PowerShell script will start and the thumbprint for the certificate will be displayed by the PowerShell window. You can have your users record this thumbprint and enter it when prompted by Surface UEFI after the device reboots. + +Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user – in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article. + +Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM. diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md index dc86e81da7..b49144c4ca 100644 --- a/windows/deploy/resolve-windows-10-upgrade-errors.md +++ b/windows/deploy/resolve-windows-10-upgrade-errors.md @@ -16,13 +16,11 @@ localizationpriority: high **Applies to** - Windows 10 -This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. - -If you are not an IT administrator, you can try the [quick fixes](#quick-fixes) listed in this topic. If the quick fixes do not resolve your issue, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information. +>**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information. ## In this topic -The following sections and procedures are provided in this guide: +This topic contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. The following sections and procedures are provided in this guide: - [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.
- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.
diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index 1d08d1f5cb..8aaa283d61 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -97,9 +97,12 @@ The compatibility update KB scans your computers and enables application usage t IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time. +If you are planning to enable IE Site Discovery, you will need to install a few additional KBs. + | **Site discovery** | **KB** | |----------------------|-----------------------------------------------------------------------------| -| [Review site discovery](upgrade-analytics-review-site-discovery.md) | Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | +| [Review site discovery](upgrade-analytics-review-site-discovery.md) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
For more information about this KB, see

Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | + ### Automate data collection diff --git a/windows/keep-secure/event-4713.md b/windows/keep-secure/event-4713.md index 482ad0768e..c35ede099f 100644 --- a/windows/keep-secure/event-4713.md +++ b/windows/keep-secure/event-4713.md @@ -21,7 +21,7 @@ author: Mir0sh ***Event Description:*** -This event generates when [Kerberos policy](https://technet.microsoft.com/en-us/library/cc782061(v=ws.10).aspx) was changed. +This event generates when [Kerberos](https://msdn.microsoft.com/library/windows/desktop/aa378747.aspx) policy was changed. This event is generated only on domain controllers. diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 0ebb719b2e..a432c98385 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -123,7 +123,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware li - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. - Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Microsoft Passport, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). + Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation. @@ -499,7 +499,7 @@ The AIK is an asymmetric (public/private) key pair that is used as a substitute Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device. -Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Microsoft Passport without TPM. +Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate. diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index 277ad8c4ba..0b34d5a9a8 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -63,7 +63,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary. - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee. -- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a sinple semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. +- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. ## Discrete, Integrated or Firmware TPM? diff --git a/windows/keep-secure/vpn-name-resolution.md b/windows/keep-secure/vpn-name-resolution.md index d9a7d32a58..a167777105 100644 --- a/windows/keep-secure/vpn-name-resolution.md +++ b/windows/keep-secure/vpn-name-resolution.md @@ -21,11 +21,11 @@ The name resolution setting in the VPN profile configures how name resolution sh ## Name Resolution Policy table (NRPT) -The NRPT is a table of namespaces that determines the DNS client’s havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache. +The NRPT is a table of namespaces that determines the DNS client’s behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache. There are 3 types of name matches that can set up for NRPT: -- Fully qualified domain name (FQDN) that can used for direct matching to a name +- Fully qualified domain name (FQDN) that can be used for direct matching to a name - Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name) diff --git a/windows/keep-secure/vpn-routing.md b/windows/keep-secure/vpn-routing.md index 5065c6aaa5..3372161696 100644 --- a/windows/keep-secure/vpn-routing.md +++ b/windows/keep-secure/vpn-routing.md @@ -23,7 +23,7 @@ In a split tunnel configuration, routes can be specified to go over VPN and all Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). -For each route item in the list the following can be specified: +For each route item in the list, the following can be specified: - **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address - **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix @@ -37,11 +37,11 @@ Routes can also be added at connect time through the server for UWP VPN apps. In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified. -The only implication of this setting is the manipulation of routing entries. In the case of a force Tunnel VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower Metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the Physical Interface itself. +The only implication of this setting is the manipulation of routing entries. In the case of a force tunnel, VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the physical interface itself. For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**. -For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in passes only 2 include routes (default route for both v4 and v6), the Windows VPN Platform marks the VPN as force tunnel. +For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in indicates the default route for IPv4 and IPv6 as the only two Inclusion routes, the VPN platform marks the connection as Force Tunneled. ## Configure routing diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 3b0726ab4b..6333401752 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv #### Introduction Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10: -- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials. +- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello for Business, which better protects user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials. - [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security. - [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10. @@ -50,7 +50,7 @@ Table 1. Windows 10 solutions to typical access control challenges

Organizations frequently use passwords because the alternative methods are too complex and costly to deploy.

Organizations that choose password alternatives such as smart cards must purchase and manage smart card readers, smart cards, and management software. These solutions delay productivity when the MFA component is lost or damaged. Consequently, MFA solutions like smart cards tend to be used only for VPN and select assets.

-

Windows Hello on biometric-capable devices and Microsoft Passport enable simpler MFA.

+

Windows Hello for Business enables simpler MFA.

Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard.

@@ -62,7 +62,7 @@ Table 1. Windows 10 solutions to typical access control challenges

Users dislike typing their passwords.

-

Single sign-on (SSO) allows users to sign in once with their Microsoft Passport and get access to all corporate resources without the need to re-authenticate.

+

Single sign-on (SSO) allows users to sign in once with Windows Hello and get access to all corporate resources without the need to re-authenticate.

Windows Hello enables secure fingerprint- and facial recognition–based authentication and can be used to revalidate user presence when sensitive resources are accessed.

@@ -74,36 +74,39 @@ Table 1. Windows 10 solutions to typical access control challenges   The sections that follow describe these challenges and solutions in more detail. -### Microsoft Passport +### Windows Hello -Microsoft Passport provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or Windows Hello. Microsoft Passport is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware. -Unlike smart cards, Microsoft Passport does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Microsoft Passport. Microsoft Passport combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks. +Windows Hello provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or biometric gesture. Windows Hello is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware. +Unlike smart cards, Windows Hello does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Windows Hello. Windows Hello combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks. -Microsoft Passport offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail. +>[!NOTE] +>When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Windows Hello offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail. #### It’s flexible -Microsoft Passport offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself. +Windows Hello offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Windows Hello gives both administrators and users options to manage authentication. First and foremost, Windows Hello works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself. -Microsoft Passport gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Microsoft Passport enables PIN- and biometrics-based authentication through Windows Hello to securely identify users. +MWindows Hello gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Windows Hello enables PIN- and biometrics-based authentication to securely identify users. -With Microsoft Passport, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Microsoft Passport builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport to your network. The choice of which users to enable for Microsoft Passport use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems. +With Windows Hello for Business, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Windows Hello for Business builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Windows Hello for Business to your network. The choice of which users to enable for Windows Hello for Business use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Windows Hello for Business to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Windows Hello for Business in scenarios that call for extra protection for sensitive resources or systems. #### It’s standardized Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: The future lies with open, interoperable systems that allow secure authentication across a variety of devices, line of business (LOB) apps, and external applications and websites. To this end, a group of industry players formed FIDO, the Fast IDentity Online Alliance. The FIDO Alliance is a nonprofit organization intended to address the lack of interoperability among strong authentication devices, as well as the problems users face when they need to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security. -In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Microsoft Passport technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike. +In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike. #### It’s effective -Microsoft Passport effectively mitigates two major security risks. First, it eliminates the use of passwords for logon and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Microsoft Passport uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. +Windows Hello effectively mitigates two major security risks. First, it eliminates the use of passwords for sign-in and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Windows Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. -To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks. +To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks. -### Windows Hello +### Biometric sign-in -Windows Hello is the name given to the new biometric sign-in option for Microsoft Passport. Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself. +Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself. The user’s biometric data that is used for Windows Hello is considered a local gesture and consequently doesn’t roam among a user’s devices and is not centrally stored. The biometric image of the user the sensor takes is converted into an algorithmic form that cannot be converted back into the original image that the sensor took. Devices that have TPM 2.0 encrypt the biometric data in a form that makes it unreadable if the data is ever removed from the device. If multiple users share a device, each user will be able to enroll and use Windows Hello for his or her Windows profile. @@ -450,7 +453,7 @@ Several Windows 10 security features require TPM: * Health attestation (requires TPM 2.0 or later) * InstantGo (requires TPM 2.0 or later) -Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Microsoft Passport. +Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Windows Hello for Business. All of these features are covered in this document. diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md index eae687dfc0..969c7bc490 100644 --- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md @@ -83,7 +83,7 @@ An added work account provides the same SSO experience in browser apps like Offi - **Windows Hello** - Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policiesusing controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004) + Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004) - **Conditional access**