From 7fdc32eddcb7a53ba02eab20d9bdb1fe6789bdc9 Mon Sep 17 00:00:00 2001 From: msft-bob <82617611+msft-bob@users.noreply.github.com> Date: Thu, 15 Apr 2021 15:59:36 -0700 Subject: [PATCH 1/6] Update policy-csp-authentication.md Update to add description of new ConfigureWebSignInAllowedUrls policy. --- .../mdm/policy-csp-authentication.md | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 51f56ffbbb..0edf2ca1ef 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -37,6 +37,9 @@ manager: dansimp
Authentication/AllowSecondaryAuthenticationDevice
+
+ Authentication/ConfigureWebSignInAllowedUrls +
Authentication/EnableFastFirstSignIn
@@ -359,6 +362,68 @@ The following list shows the supported values:
+ +**Authentication/ConfigureWebSignInAllowedUrls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark4
Businesscheck mark4
Enterprisecheck mark4
Educationcheck mark4
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 1803. Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a 3rd party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). + +Example: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". + + + + + + + + + + + + + +
+ **Authentication/EnableFastFirstSignIn** From 9855b3cba4ed0599596f0d5fbb20fa70e685658c Mon Sep 17 00:00:00 2001 From: msft-bob <82617611+msft-bob@users.noreply.github.com> Date: Thu, 15 Apr 2021 20:14:12 -0700 Subject: [PATCH 2/6] Update windows/client-management/mdm/policy-csp-authentication.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-authentication.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 0edf2ca1ef..7258bc578c 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -38,7 +38,7 @@ manager: dansimp Authentication/AllowSecondaryAuthenticationDevice
- Authentication/ConfigureWebSignInAllowedUrls + Authentication/ConfigureWebSignInAllowedUrls
Authentication/EnableFastFirstSignIn @@ -644,4 +644,3 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - From 1e293badaf86059d41df1a93e8867bb1e782cbb9 Mon Sep 17 00:00:00 2001 From: msft-bob <82617611+msft-bob@users.noreply.github.com> Date: Thu, 15 Apr 2021 20:19:02 -0700 Subject: [PATCH 3/6] Apply suggestions from code review Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 7258bc578c..74167fec97 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -406,9 +406,9 @@ The following list shows the supported values: -Available in Windows 10, version 1803. Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a 3rd party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). +Available in Windows 10, version 1803. Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). -Example: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". +**Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". From ff35811720f3f6ccfc4b2a2ffae31723e7a835da Mon Sep 17 00:00:00 2001 From: msft-bob <82617611+msft-bob@users.noreply.github.com> Date: Sat, 17 Apr 2021 21:53:28 -0700 Subject: [PATCH 4/6] Revert extra space in policy jump link --- windows/client-management/mdm/policy-csp-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 74167fec97..3137c8b270 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -38,7 +38,7 @@ manager: dansimp Authentication/AllowSecondaryAuthenticationDevice
- Authentication/ConfigureWebSignInAllowedUrls + Authentication/ConfigureWebSignInAllowedUrls
Authentication/EnableFastFirstSignIn From 5e0f81f7b2ee8da2e12530612beb40ef5de23dfa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 19 Apr 2021 07:39:06 -0700 Subject: [PATCH 5/6] Update policy-csp-authentication.md --- windows/client-management/mdm/policy-csp-authentication.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 3137c8b270..d62b5b232d 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: +ms.reviewer: bobgil manager: dansimp --- From 31e3c608da3d742c4946c2e1a7e2271e60da9204 Mon Sep 17 00:00:00 2001 From: Beth Woodbury <40870842+levinec@users.noreply.github.com> Date: Mon, 19 Apr 2021 10:01:57 -0700 Subject: [PATCH 6/6] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 9f021cbaac..8e18c596ad 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -457,8 +457,8 @@ The data type is integer. Supported operations are Add, Delete, Get, Replace. Valid values are: -- 1 – Enable. -- 0 (default) – Disable. +- 1 (default) – Enable. +- 0 – Disable. **Configuration/MeteredConnectionUpdates**
Allow managed devices to update through metered connections. Data charges may apply. @@ -542,4 +542,4 @@ Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md)