From 6cb7da1220a4439fd3693a9e88a7458a15d72e7b Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Wed, 29 Aug 2018 08:39:42 -0700 Subject: [PATCH] Latest rounds of updates and more content on password-less. --- .../hello-for-business/hello-deployment-guide.md | 15 +++++++-------- .../hello-for-business/hello-faq.md | 6 +++--- .../hello-for-business/hello-features.md | 4 ++-- .../hello-for-business/passwordless-strategy.md | 6 ++---- .../identity-protection/hello-for-business/toc.md | 7 +++++-- 5 files changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index cdcf8b31d6..d2b2d4db85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -9,16 +9,14 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen ms.localizationpriority: medium -ms.date: 11/08/2017 +ms.date: 08/29/2018 --- # Windows Hello for Business Deployment Guide **Applies to** -- Windows 10 +- Windows 10, version 1703 or later -> This guide only applies to Windows 10, version 1703 or higher. - Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment. @@ -50,10 +48,11 @@ The trust model determines how you want users to authenticate to the on-premises * The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. Following are the various deployment guides included in this topic: -* [Hybrid Key Trust Deployment](hello-hybrid-key-trust.md) -* [Hybrid Certificate Trust Deployment](hello-hybrid-cert-trust.md) -* [On Premises Key Trust Deployment](hello-deployment-key-trust.md) -* [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) +- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) +- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) +- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) +- [On Premises Key Trust Deployment](hello-deployment-key-trust.md) +- [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) ## Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 073438b384..9b08fb9236 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -36,7 +36,7 @@ When using Windows Hello for Business, the PIN is not a symmetric key where is t The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It is about the difference of providing entropy vs continuing the use of a symmetric key (the password). The TPM has anti-hammering features which thwart brute-force PIN attacks (an attackers continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increased the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. -## Why can I not see the Key Admins group, I have Windows Server 2016 domain controller(s)> +## Why can I not see the Key Admins group, I have Windows Server 2016 domain controller(s) The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016. ## Can I use convenience PIN with Azure AD? @@ -49,7 +49,7 @@ No. Windows 10 currently only supports one Windows Hello for Business camera and Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less** -[Microsoft's passwordless strategy](hello-videos.md#microsofts-passwordless-strategy) +[Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy) ## What is the user experience for Windows Hello for Business? @@ -65,7 +65,7 @@ If the user can sign-in with a password, they can reset their PIN by clicking th For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. -## What URLs do I need to whitelist for a hybrid deployment? +## What URLs do I need to allow for a hybrid deployment? Communicating with Azure Active Directory uses the following URLs: - enterpriseregistration.windows.net diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index a4c4df89e6..e2b41106fc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -94,7 +94,7 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. ->[!IMPORTANT +>[!IMPORTANT] > The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**. The feature does not work with the **Pro** edition.] #### Onboarding the Microsoft PIN reset service to your Intune tenant @@ -123,7 +123,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 ##### Create a PIN Reset Device configuration profile using Microsoft Intune 1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. -2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer. +2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
``` dsregcmd /status | findstr -snip "tenantid" ``` diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 357be2c2d0..e085b60277 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -207,7 +207,7 @@ The policy name for these operating systems is **Interactive logon: Require smar The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. ![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) -When you enables this security policy setting, Windows prevents users from signing in or unlock Windows using a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. +When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** @@ -219,9 +219,7 @@ The name of the policy setting is **Exclude credential providers**. The value to Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. #### Validate all workflows do not need passwords - - - +This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a passwords. Users will be blocked is any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. ### Transition into a password-less (Step 3) diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index 6b4852ef90..de55fa465e 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -20,7 +20,7 @@ ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) ### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) -#### [Prerequistes](hello-hybrid-key-trust-prereqs.md) +#### [Prerequisites](hello-hybrid-key-trust-prereqs.md) #### [New Installation Baseline](hello-hybrid-key-new-install.md) #### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) #### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) @@ -33,6 +33,7 @@ #### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) #### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) #### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + ### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) #### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) #### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md) @@ -56,4 +57,6 @@ ### [Multifactor Unlock](feature-multifactor-unlock.md) ## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.md) -### [Windows Hello for Business Videos](hello-videos.md) \ No newline at end of file +### [Windows Hello for Business Videos](hello-videos.md) + +##[Password-less Strategy](passwordless-strategy.md) \ No newline at end of file