From 926625a693dbc3771b15bfd5f80c853ccbcddd95 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 22 Apr 2025 07:57:56 +0200 Subject: [PATCH 1/2] notes updates --- .../hello-for-business/includes/expiration.md | 8 +++++++- .../hello-for-business/includes/history.md | 6 +++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md index 498fe0730d..2d978ef7af 100644 --- a/windows/security/identity-protection/hello-for-business/includes/expiration.md +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -17,4 +17,10 @@ The default value is 0. | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**| > [!NOTE] -> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN expiration is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment. \ No newline at end of file +>Starting with Windows 11, version 23H2, devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) isolate credentials using Virtualization-based security (VBS). +> +> Starting with Windows 11, version 24H2, Windows Hello is enhanced to automatically use VBS to isolate credentials on all devices that support and have VBS enabled. +> +> On such devices, PIN expiration is not supported. + + diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md index 80d06d2b1b..4571c2398b 100644 --- a/windows/security/identity-protection/hello-for-business/includes/history.md +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -20,4 +20,8 @@ The default value is 0. | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | > [!NOTE] -> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN history is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment. +>Starting with Windows 11, version 23H2, devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) isolate credentials using Virtualization-based security (VBS). +> +> Starting with Windows 11, version 24H2, Windows Hello is enhanced to automatically use VBS to isolate credentials on all devices that support and have VBS enabled. +> +> On such devices, PIN history is not supported. From a26298fb56b406c4dc00c60d43dbf466aac69fc1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 22 Apr 2025 08:10:05 +0200 Subject: [PATCH 2/2] updates --- .../hello-for-business/includes/expiration.md | 4 ++-- .../hello-for-business/includes/history.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md index 2d978ef7af..88a546837d 100644 --- a/windows/security/identity-protection/hello-for-business/includes/expiration.md +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -17,9 +17,9 @@ The default value is 0. | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**| > [!NOTE] ->Starting with Windows 11, version 23H2, devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) isolate credentials using Virtualization-based security (VBS). +> Starting with Windows 11, version 23H2, Windows Hello uses Virtualization-based security (VBS) to isolate credentials on devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). > -> Starting with Windows 11, version 24H2, Windows Hello is enhanced to automatically use VBS to isolate credentials on all devices that support and have VBS enabled. +> Starting with Windows 11, version 24H2, Windows Hello uses VBS to isolate credentials on all devices that have VBS enabled. > > On such devices, PIN expiration is not supported. diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md index 4571c2398b..2b1c3e1f91 100644 --- a/windows/security/identity-protection/hello-for-business/includes/history.md +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -20,8 +20,8 @@ The default value is 0. | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | > [!NOTE] ->Starting with Windows 11, version 23H2, devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) isolate credentials using Virtualization-based security (VBS). +> Starting with Windows 11, version 23H2, Windows Hello uses Virtualization-based security (VBS) to isolate credentials on devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). > -> Starting with Windows 11, version 24H2, Windows Hello is enhanced to automatically use VBS to isolate credentials on all devices that support and have VBS enabled. +> Starting with Windows 11, version 24H2, Windows Hello uses VBS to isolate credentials on all devices that have VBS enabled. > > On such devices, PIN history is not supported.