mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-28 21:27:23 +00:00
huypub
GitHub
commit
810c6643a0
@ -16,9 +16,9 @@ If you’re having problems launching your legacy apps while running Internet Ex
|
||||
|
||||
**To turn managed browser hosting controls back on**
|
||||
|
||||
1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
|
||||
1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
|
||||
|
||||
2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
|
||||
2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
|
||||
|
||||
For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.
|
||||
|
||||
|
||||
@ -22,6 +22,9 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
|
||||
> [!Warning]
|
||||
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
|
||||
|
||||
> [!Note]
|
||||
> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
|
||||
|
||||
> [!Note]
|
||||
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
|
||||
|
||||
|
||||
@ -553,7 +553,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
|
||||
<characteristic type="CertificateStore">
|
||||
<characteristic type="Root">
|
||||
<characteristic type="System">
|
||||
<characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
|
||||
<characteristic type="Encoded Root Cert Hash Inserted Here">
|
||||
<parm name="EncodedCertificate" value="B64 encoded cert insert here" />
|
||||
</characteristic>
|
||||
</characteristic>
|
||||
@ -562,7 +562,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
|
||||
<characteristic type="CertificateStore">
|
||||
<characteristic type="My" >
|
||||
<characteristic type="User">
|
||||
<characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
|
||||
<characteristic type="Encoded Root Cert Hash Inserted Here">
|
||||
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
|
||||
</characteristic>
|
||||
<characteristic type="PrivateKeyContainer"/>
|
||||
|
||||
@ -67,7 +67,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh
|
||||
> [!Note]
|
||||
> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
|
||||
|
||||
This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
|
||||
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
|
||||
Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
|
||||
|
||||
The following list shows the supported values:
|
||||
|
||||
@ -30,7 +30,7 @@ The following diagram shows the Reboot configuration service provider management
|
||||
> [!Note]
|
||||
> If this node is set to execute during a sync session, the device will reboot at the end of the sync session.
|
||||
|
||||
<p style="margin-left: 20px">The supported operations are Execute and Get.
|
||||
<p style="margin-left: 20px">The supported operations are Execute and Get.</p>
|
||||
|
||||
<a href="" id="schedule"></a>**Schedule**
|
||||
<p style="margin-left: 20px">The supported operation is Get.</p>
|
||||
|
||||
@ -29,7 +29,7 @@ The **Reclaim seat from user** operation returns reclaimed seats for a user in t
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p>POST</p></td>
|
||||
<td><p>DELETE</p></td>
|
||||
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
||||
@ -50,6 +50,9 @@ When the ADMX policies are imported, the registry keys to which each policy is w
|
||||
> [!Warning]
|
||||
> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined.
|
||||
|
||||
> [!NOTE]
|
||||
> Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script).
|
||||
|
||||
## <a href="" id="ingesting-an-app-admx-file"></a>Ingesting an app ADMX file
|
||||
|
||||
The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies.
|
||||
|
||||
@ -57,6 +57,9 @@ Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk i
|
||||
|
||||
In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
|
||||
|
||||
>[!NOTE]
|
||||
>If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
|
||||
|
||||
>[!TIP]
|
||||
>If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
|
||||
|
||||
|
||||
@ -79,7 +79,7 @@ Additional options available that control the impact Delivery Optimization has o
|
||||
- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
|
||||
- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month.
|
||||
- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
|
||||
- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
|
||||
- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
|
||||
- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
|
||||
- [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
|
||||
- [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
|
||||
|
||||
@ -42,6 +42,9 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable
|
||||
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
|
||||
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
|
||||
|
||||
> [!NOTE]
|
||||
> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
|
||||
|
||||
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
|
||||
|
||||
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
|
||||
@ -159,8 +162,9 @@ In the Group Policy editor, you will see a number of policy settings that pertai
|
||||
|
||||
>[!NOTE]
|
||||
>You can only choose one path for restart behavior.
|
||||
>
|
||||
>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
|
||||
>When using RDP, only active RDP sessions are considered as logged on users.
|
||||
|
||||
|
||||
## Registry keys used to manage restart
|
||||
The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
|
||||
|
||||
@ -86,7 +86,7 @@ If you have devices that appear in other solutions, but not Device Health (the D
|
||||
3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
|
||||
4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set).
|
||||
5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
|
||||
6. Remove the Device Health (appears as DeviceHealthProd on some pages) from your Log Analytics workspace
|
||||
6. Add the Device Health solution back to your Log Analytics workspace.
|
||||
7. Wait 48 hours for activity to appear in the reports.
|
||||
8. If you need additional troubleshooting, contact Microsoft Support.
|
||||
|
||||
|
||||
@ -29,10 +29,10 @@ In order to use the direct connection scenario, set the parameter **ClientProxy=
|
||||
This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication.
|
||||
|
||||
In order to set the WinHTTP proxy system-wide on your computers, you need to
|
||||
•Use the command netsh winhttp set proxy \<server\>:\<port\>
|
||||
•Set ClientProxy=System in runconfig.bat
|
||||
- Use the command netsh winhttp set proxy \<server\>:\<port\>
|
||||
- Set ClientProxy=System in runconfig.bat
|
||||
|
||||
The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3.
|
||||
The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3.
|
||||
|
||||
If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/).
|
||||
|
||||
|
||||
@ -133,11 +133,9 @@ If you have already established a KMS infrastructure in your organization for an
|
||||
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
|
||||
2. Request a new KMS host key from the Volume Licensing Service Center.
|
||||
3. Install the new KMS host key on your KMS host.
|
||||
4. Activate the new KMS host key by running the slmrg.vbs script.
|
||||
4. Activate the new KMS host key by running the slmgr.vbs script.
|
||||
|
||||
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
|
||||
|
||||
## See also
|
||||
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
|
||||
|
||||
|
||||
|
||||
@ -194,7 +194,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
See the following table for a summary of the management settings for Windows Server 2016 Server Core.
|
||||
|
||||
| Setting | Group Policy | Registry | Command line |
|
||||
| - | :-: | :-: | :-: | :-: | :-: |
|
||||
| - | :-: | :-: | :-: |
|
||||
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) |  |  | |
|
||||
| [3. Date & Time](#bkmk-datetime) |  |  | |
|
||||
| [6. Font streaming](#font-streaming) |  |  | |
|
||||
@ -209,7 +209,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
See the following table for a summary of the management settings for Windows Server 2016 Nano Server.
|
||||
|
||||
| Setting | Registry | Command line |
|
||||
| - | :-: | :-: | :-: | :-: | :-: |
|
||||
| - | :-: | :-: |
|
||||
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) |  | |
|
||||
| [3. Date & Time](#bkmk-datetime) |  | |
|
||||
| [22. Teredo](#bkmk-teredo) | |  |
|
||||
@ -634,6 +634,8 @@ To disable the Microsoft Account Sign-In Assistant:
|
||||
|
||||
- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
|
||||
|
||||
-or-
|
||||
|
||||
- Change the **Start** REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**.
|
||||
|
||||
|
||||
@ -1857,10 +1859,6 @@ You can disconnect from the Microsoft Antimalware Protection Service.
|
||||
|
||||
- Use the registry to set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to **0 (zero)**.
|
||||
|
||||
-and-
|
||||
|
||||
- Delete the registry setting **named** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Updates**.
|
||||
|
||||
-OR-
|
||||
|
||||
- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
|
||||
|
||||
@ -15,7 +15,7 @@ ms.topic: article
|
||||
localizationpriority: medium
|
||||
ms.date: 08/19/2018
|
||||
---
|
||||
# Windows Hello for Business Frequently Ask Questions
|
||||
# Windows Hello for Business Frequently Asked Questions
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
@ -27,7 +27,7 @@ Windows Hello for Business is the modern, two-factor credential for Windows 10.
|
||||
Microsoft is committed to its vision of a <u>world without passwords.</u> We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
|
||||
|
||||
## Can I deploy Windows Hello for Business using System Center Configuration Manager?
|
||||
Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018.
|
||||
Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018.
|
||||
|
||||
## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
|
||||
The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
|
||||
|
||||
@ -141,7 +141,7 @@ These procedures configure NTFS and share permissions on the web server to allow
|
||||
|
||||
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
|
||||
2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
|
||||
3. Select **Share this folder**. Type **cdp$** in **Share name:**. Click **Permissions**.
|
||||
3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**.
|
||||
|
||||
4. In the **Permissions for cdp$** dialog box, click **Add**.
|
||||
5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**.
|
||||
@ -280,10 +280,10 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
|
||||
1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
|
||||
2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**.
|
||||
|
||||
3. In the **Create profle** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**.
|
||||
3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**.
|
||||
4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**.
|
||||
|
||||
5. In the **Enterprise Root Certificate** blade, click **Assignmnets**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
|
||||
5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
|
||||
|
||||
6. Sign out of the Microsoft Azure Portal.
|
||||
|
||||
|
||||
@ -27,10 +27,10 @@ Hybrid environments are distributed systems that enable organizations to use on-
|
||||
|
||||
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
|
||||
* [Directories](#directories)
|
||||
* [Public Key Infrastucture](#public-key-infrastructure)
|
||||
* [Public Key Infrastructure](#public-key-infrastructure)
|
||||
* [Directory Synchronization](#directory-synchronization)
|
||||
* [Federation](#federation)
|
||||
* [MultiFactor Authentication](#multifactor-authentication)
|
||||
* [Multifactor Authentication](#multifactor-authentication)
|
||||
* [Device Registration](#device-registration)
|
||||
|
||||
## Directories ##
|
||||
@ -57,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning
|
||||
## Public Key Infrastructure ##
|
||||
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
|
||||
|
||||
Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority.
|
||||
Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority.
|
||||
|
||||
The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012.
|
||||
|
||||
@ -96,7 +96,7 @@ The AD FS farm used with Windows Hello for Business must be Windows Server 2016
|
||||
## Multifactor Authentication ##
|
||||
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication.
|
||||
|
||||
Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS.
|
||||
Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service, or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS.
|
||||
|
||||
### Section Review
|
||||
> [!div class="checklist"]
|
||||
@ -119,7 +119,7 @@ Hybrid certificate trust deployments need the device write back feature. Authen
|
||||
<br>
|
||||
|
||||
### Next Steps ###
|
||||
Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**.
|
||||
Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.
|
||||
|
||||
If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**.
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@ ms.date: 08/19/2018
|
||||
# Hybrid Windows Hello for Business Provisioning
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 10, version 1703 or later
|
||||
- Hybrid deployment
|
||||
- Certificate trust
|
||||
|
||||
@ -55,17 +55,17 @@ The remainder of the provisioning includes Windows Hello for Business requesting
|
||||
> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
|
||||
|
||||
> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
|
||||
> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
|
||||
> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
|
||||
> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers.
|
||||
> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
|
||||
|
||||
After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.
|
||||
|
||||
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
|
||||
|
||||
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center.
|
||||
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
|
||||
|
||||
<br><br>
|
||||
|
||||
@ -73,9 +73,9 @@ The certificate authority validates the certificate was signed by the registrati
|
||||
|
||||
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
|
||||
1. [Overview](hello-hybrid-cert-trust.md)
|
||||
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
|
||||
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
|
||||
5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md)
|
||||
6. Sign-in and Provision(*You are here*)
|
||||
6. Sign-in and Provision (*You are here*)
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ ms.date: 08/19/2018
|
||||
- Certificate trust
|
||||
|
||||
|
||||
You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
|
||||
Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
|
||||
> [!IMPORTANT]
|
||||
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
|
||||
|
||||
@ -44,7 +44,7 @@ For the most efficient deployment, configure these technologies in order beginni
|
||||
|
||||
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
|
||||
1. [Overview](hello-hybrid-cert-trust.md)
|
||||
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
|
||||
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
|
||||
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
||||
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
|
||||
5. Configure Windows Hello for Business settings (*You are here*)
|
||||
|
||||
@ -88,11 +88,11 @@ Some things that you can check on the device are:
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
|
||||
- [TPM Base Services Portal](https://docs.microsoft.com/windows/desktop/TBS/tpm-base-services-portal)
|
||||
- [TPM Base Services API](https://docs.microsoft.com/windows/desktop/api/_tbs/)
|
||||
- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal)
|
||||
- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/)
|
||||
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
|
||||
- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
|
||||
- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
|
||||
- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/)
|
||||
- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
|
||||
- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
|
||||
- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
|
||||
@ -39,7 +39,7 @@ You can create an app protection policy in Intune either with device enrollment
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
|
||||
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
|
||||
|
||||
## Configure the MDM or MAM provider
|
||||
|
||||
|
||||
@ -38,26 +38,11 @@ Constant: SeIncreaseBasePriorityPrivilege
|
||||
|
||||
### Best practices
|
||||
|
||||
- Allow the default value, Administrators and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities.
|
||||
- Retain the default value as the only accounts responsible for controlling process scheduling priorities.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
|
||||
|
||||
### Default values
|
||||
|
||||
By default this setting is Administrators on domain controllers and on stand-alone servers.
|
||||
|
||||
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy| Not defined|
|
||||
| Default Domain Controller Policy| Not defined|
|
||||
| Stand-Alone Server Default Settings | Administrators and Window Manager/Window Manager Group|
|
||||
| Domain Controller Effective Default Settings | Administrators and Window Manager/Window Manager Group|
|
||||
| Member Server Effective Default Settings | Administrators and Window Manager/Window Manager Group|
|
||||
| Client Computer Effective Default Settings | Administrators and Window Manager/Window Manager Group|
|
||||
|
||||
## Policy management
|
||||
|
||||
@ -97,3 +82,4 @@ None. Restricting the **Increase scheduling priority** user right to members of
|
||||
## Related topics
|
||||
|
||||
- [User Rights Assignment](user-rights-assignment.md)
|
||||
- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11))
|
||||
|
||||
@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio
|
||||
|
||||
|Software|Description|
|
||||
|--------|-----------|
|
||||
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Professional for Workstations edition, version 1803 or higher<br>Windows 10 Professional Education edition version 1803 or higher<br>Windows 10 Education edition, version 1903 or higher|
|
||||
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Professional for Workstations edition, version 1803 or higher<br>Windows 10 Professional Education edition version 1803 or higher<br>Windows 10 Education edition, version 1903 or higher<br>Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|
||||
|Browser|Microsoft Edge and Internet Explorer|
|
||||
|Management system<br> (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
|
||||
|
||||
@ -25,7 +25,7 @@ ms.date: 05/07/2019
|
||||
|
||||
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
|
||||
|
||||
To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
|
||||
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
|
||||
|
||||
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user