From 94f78453bad7c797d943b33a581704c78187a2c4 Mon Sep 17 00:00:00 2001 From: Michael Epping Date: Fri, 20 Jun 2025 10:33:25 -0700 Subject: [PATCH 1/5] Update faq.yml w/ convenience PIN details Providing more clarity on how convenience PINs do and do not work with Entra after receiving feedback from a confused customer. --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index 3a5d20bea8..fdfbfa22b6 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -177,7 +177,7 @@ sections: *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. - question: Can I use a convenience PIN with Microsoft Entra ID? answer: | - No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users. + No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory users and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to authenticate to Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations, but convience PIN will not be able to provide authentication or SSO to Entra. - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. From ae820cfcf02968c4b379e804b1e26851b4873c94 Mon Sep 17 00:00:00 2001 From: Michael Epping Date: Fri, 20 Jun 2025 10:36:47 -0700 Subject: [PATCH 2/5] Update faq.yml --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index fdfbfa22b6..8e5bac9241 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -177,7 +177,7 @@ sections: *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. - question: Can I use a convenience PIN with Microsoft Entra ID? answer: | - No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory users and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to authenticate to Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations, but convience PIN will not be able to provide authentication or SSO to Entra. + No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to access Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations used by on-premises or synchronized user accounts, but convience PIN will not be able to provide authentication or SSO to Entra. The convenience PIN may still be used for logging into the user's PC or for storing other credentials used by the organization, such as certificates or passkeys. - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. From 672c44e3d2e591db29681cb53764d284fc59f199 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Mon, 23 Jun 2025 22:20:06 +0530 Subject: [PATCH 3/5] typo fix --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index 8e5bac9241..a699721541 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -177,7 +177,7 @@ sections: *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. - question: Can I use a convenience PIN with Microsoft Entra ID? answer: | - No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to access Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations used by on-premises or synchronized user accounts, but convience PIN will not be able to provide authentication or SSO to Entra. The convenience PIN may still be used for logging into the user's PC or for storing other credentials used by the organization, such as certificates or passkeys. + No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to access Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations used by on-premises or synchronized user accounts, but convenience PIN will not be able to provide authentication or SSO to Entra. The convenience PIN may still be used for logging into the user's PC or for storing other credentials used by the organization, such as certificates or passkeys. - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. From ca71358f5aa35594139f10558ae1ff30e6dd5239 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 23 Jun 2025 11:47:26 -0700 Subject: [PATCH 4/5] dev-link-recall-export-10157127 --- windows/client-management/manage-recall.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-recall.md b/windows/client-management/manage-recall.md index a60af3d1fa..87bd62fe99 100644 --- a/windows/client-management/manage-recall.md +++ b/windows/client-management/manage-recall.md @@ -3,7 +3,7 @@ title: Manage Recall for Windows clients description: Learn how to manage Recall for commercial environments and about Recall features. ms.topic: how-to ms.subservice: windows-copilot -ms.date: 06/13/2025 +ms.date: 06/23/2025 ms.author: mstewart author: mestew ms.collection: @@ -185,7 +185,7 @@ Before starting an export, the user must authenticate with Windows Hello and the > [!Important] > - This setting applies to devices in the European Economic Area (EEA) only. Export of Recall snapshots is a user-initiated process and is per user. IT admins or other users can't initiate an export on behalf of another. > - Changes to this policy take effect after device restart. -> - Developer documentation will be coming at a later date. +> - For information about adding exported Recall snapshots to your application or website, see [Decrypt exported snapshots from Recall](/windows/ai/recall/decrypt-exported-snapshots). |   | Setting | |---|---| @@ -226,6 +226,8 @@ If you're a developer and want to launch Recall, you can call the `ms-recall` pr If your remote desktop connection doesn't support screen capture protection, then it's an easy feature to add. Windows allows applications to exclude their window from being included in screenshot. This DRM flag is set by the application as a property on its window. It's a simple feature for application developers to implement using [SetWindowDisplayAffinity function (winuser.h)](/windows/win32/api/winuser/nf-winuser-setwindowdisplayaffinity). By setting the flag `WDA_EXCLUDEFROMCAPTURE`, the window content won't show up in Recall or any other screenshot application. +If you're a developer and need information about adding exported Recall snapshots to your application or website, see [Decrypt exported snapshots from Recall](/windows/ai/recall/decrypt-exported-snapshots). + ## Microsoft's commitment to responsible AI Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai). From 840476b576601f865243abea43df8979aa62201f Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 24 Jun 2025 08:02:24 -0700 Subject: [PATCH 5/5] esu-limitation-tweak --- windows/whats-new/extended-security-updates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md index bc82cb99ae..11e8ff3f33 100644 --- a/windows/whats-new/extended-security-updates.md +++ b/windows/whats-new/extended-security-updates.md @@ -8,7 +8,7 @@ author: mestew manager: bpardi ms.localizationpriority: medium ms.topic: article -ms.date: 05/21/2025 +ms.date: 06/24/2025 ms.collection: - highpri - tier2 @@ -36,7 +36,7 @@ ESUs doesn't include the following items: - New features - Customer-requested nonsecurity updates - Design change requests -- General support won't be provided for Windows versions past the end of support date. The Windows 10 ESU only includes support for the license activation, installation, and possible regressions of the ESU itself. To get technical support for the ESU, organizations must have an active [support plan](https://www.microsoft.com/microsoft-unified) in place. +- General support won't be provided for Windows versions past the end of support date. The Windows 10 ESU only includes support for the license activation, installation, and possible regressions of the ESU itself. To get technical support for these issues related to the ESU, organizations must have an active [support plan](https://www.microsoft.com/microsoft-unified) in place.