updates

.openpublishing.redirection.windows-security.json

@@ -7414,6 +7414,11 @@
       "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml",
       "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/passwordless-strategy.md",
+      "redirect_url": "/windows/security/identity-protection/passwordless-strategy",
+      "redirect_document_id": false
     }
   ]
 }

includes/licensing/passkey.md

@@ -7,13 +7,13 @@ ms.topic: include
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Fast Identity Online (FIDO2) security key:
+The following table lists the Windows editions that support Passkey:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Fast Identity Online (FIDO2) security key license entitlements are granted by the following licenses:
+Passkey license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|

includes/licensing/security-key-fido2.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Security key (FIDO2):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Security key (FIDO2) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

includes/licensing/windows-hello-for-business-passwordless.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Hello for Business passwordless:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Hello for Business passwordless license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

windows/security/identity-protection/hello-for-business/passwordless.md

@@ -44,6 +44,8 @@ Windows Hello for Business passwordless has the following requirements:
 >[!NOTE]
 >Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
 
+[!INCLUDE [windows-hello-for-business-passwordless](../../../../includes/licensing/windows-hello-for-business-passwordless.md)]
+
 ## Enable Windows Hello for Business passwordless with Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]

windows/security/identity-protection/passkey/index.md

@@ -22,16 +22,18 @@ Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use any app
 
 Windows provides a native experience for passkey management starting in Windows 11, version 22H2 with [KB5030310][KB-1].
 
+[!INCLUDE [passkey](../../../../../includes/licensing/passkey.md)]
+
 ## User experiences
 
 ### Create a passkey
 
-Follow these steps to create a passkey:
+Follow these steps to create a passkey from a Windows device:
 
 :::row:::
   :::column span="4":::
 
-  1. Go to a website or app that supports passkeys
+  1. Open a website or app that supports passkeys
 
   :::column-end:::
 :::row-end:::
@@ -44,7 +46,7 @@ Follow these steps to create a passkey:
 :::row-end:::
 :::row:::
   :::column span="4":::
-  3. Choose where to save the passkey. By default, Windows prompts to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey on one of the following locations:
+  3. Choose where to save the passkey. By default, Windows prompts to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -53,11 +55,11 @@ Follow these steps to create a passkey:
 - **This Windows device**: the passkey is saved locally on your Windows device, and protected by Windows Hello (biometrics and PIN)
 - **iPhone, iPad or Android device**: the passkey is stored on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet
 - **Linked device**: the key is stored on a *linked* device, typically a phone or tablet, protected by the device's biometrics or a PIN. This option is only supported for Android devices and requires the linked device to be connected via Bluetooth to the Windows device
-- **Security key**: the passkey is saved to a security key (FIDO2 key), protected by the key's biometrics, if offered by the key
+- **Security key**: the passkey is saved to a security key (FIDO2), protected by the key's unlock mechanism (for example, biometrics or PIN)
 
   :::column-end:::
   :::column span="1":::
-  :::image type="content" source="images/save-passkey.png" alt-text="Screenshot showing the passkey save dialog prompting the user to pick a location." lightbox="images/save-passkey.png" border="false":::
+  :::image type="content" source="images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="images/save-passkey.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -73,11 +75,11 @@ Pick one of the following options to learn how to save a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  5. Select a Windows Hello verification method
+  5. Select a Windows Hello verification method and proceed with the verification, then select **OK**
 
   :::column-end:::
   :::column span="1":::
-    :::image type="content" source="images/hello-save.png" alt-text="Screenshot prompting the user to pick a Windows Hello verification method." lightbox="images/hello-save.png" border="false":::
+    :::image type="content" source="images/hello-save.png" alt-text="Screenshot showing the Windows Hello face verification method." lightbox="images/hello-save.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -87,7 +89,7 @@ Pick one of the following options to learn how to save a passkey, based on where
 
   :::column-end:::
   :::column span="1":::
-  :::image type="content" source="images/hello-save-confirmation.png" alt-text="Screenshot confirming that the passkey is saved to the Windows device" lightbox="images/hello-save-confirmation.png" border="false":::
+  :::image type="content" source="images/hello-save-confirm.png" alt-text="Screenshot confirming that the passkey is saved to the Windows device" lightbox="images/hello-save-confirm.png" border="false":::
   :::column-end:::
 :::row-end:::
 
@@ -96,11 +98,11 @@ Pick one of the following options to learn how to save a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  5. Scan the QR code with your phone or tablet, and follow the instructions to save the passkey
+  5. Scan the QR code with your phone or tablet, and follow the instructions on the device to save the passkey
 
   :::column-end:::
   :::column span="1":::
-    :::image type="content" source="images/device-save-qr.png" alt-text="Screenshot showing the qr code asking the user to scan on phone or tablet." lightbox="images/device-save-qr.png" border="false":::
+    :::image type="content" source="images/device-save-qr.png" alt-text="Screenshot showing the qr code asking the user to scan on the device." lightbox="images/device-save-qr.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -119,7 +121,7 @@ Pick one of the following options to learn how to save a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  5. Select the linked device option and confirm the notification sent to the device
+  5. Once the connection to the linked device is established, follow the instructions on the device to save the passkey
 
   :::column-end:::
   :::column span="1":::
@@ -129,7 +131,7 @@ Pick one of the following options to learn how to save a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  6. The passkey is saved to your linked device. To confirm select **OK**
+  6. Once the passkey is saved to your linked device, select **OK**
 
   :::column-end:::
   :::column span="1":::
@@ -142,17 +144,17 @@ Pick one of the following options to learn how to save a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  5. Select **OK** to confirm that you want to setup a security key, and unlock the security key using the key's unlock mechanism (for example, biometrics or PIN)
+  5. Select **OK** to confirm that you want to setup a security key, and unlock the security key using the key's unlock mechanism
 
   :::column-end:::
   :::column span="1":::
-  :::image type="content" source="images/security-key-setup.png" alt-text="Screenshot asking the user to confirm to use a security key." lightbox="images/security-key-setup.png" border="false":::
+  :::image type="content" source="images/security-key-setup.png" alt-text="Screenshot showing a prompt to use a security key to store the passkey." lightbox="images/security-key-setup.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::
   :::column span="3":::
 
-  6. The passkey is saved to the security key. Confirm by selecting **OK**
+  6. Once the passkey is saved to the security key, select **OK**
 
   :::column-end:::
   :::column span="1":::
@@ -178,6 +180,7 @@ Follow these steps to use a passkey:
   2. Select **Sign in with a passkey**, or a similar option
   :::column-end:::
   :::column span="1":::
+  :::image type="content" source="images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="images/website.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -190,7 +193,7 @@ Follow these steps to use a passkey:
 - **This Windows device**: use this option to use a passkey that is stored locally on your Windows device, and protected by Windows Hello
 - **iPhone, iPad or Android device**: use this option if you want to sign in with a passkey stored on a phone or tablet. This option requires you to scan a QR code with your phone or tablet
 - **Linked device**: use this option if you want to sign in with a passkey stored on a *linked* device. This option is only supported for Android devices and requires the linked device to be connected via Bluetooth to the Windows device
-- **Security key** - use this option if you want to sign in with a passkey stored on a security key (FIDO2 key)
+- **Security key** - use this option if you want to sign in with a passkey stored on a security key (FIDO2)
   :::column-end:::
   :::column span="1":::
   :::image type="content" source="images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="images/use-passkey.png" border="false":::
@@ -218,7 +221,6 @@ Pick one of the following options to learn how to use a passkey, based on where
 
   :::column-end:::
   :::column span="1":::
-  :::image type="content" source="images/hello-use-confirm.png" alt-text="Screenshot showing the passkey save dialog prompting the user to pick a location." lightbox="images/hello-use-confirm.png" border="false":::
   :::column-end:::
 :::row-end:::
 
@@ -231,7 +233,7 @@ Pick one of the following options to learn how to use a passkey, based on where
 
   :::column-end:::
   :::column span="1":::
-    :::image type="content" source="images/device-use.png" alt-text="Screenshot showing the passkey save dialog prompting the user to pick a location." lightbox="images/device-use.png" border="false":::
+    :::image type="content" source="images/device-use.png" alt-text="Screenshot showing the QR code to scan from your phone or tablet." lightbox="images/device-use.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -247,21 +249,20 @@ Pick one of the following options to learn how to use a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  4. Select a Windows Hello unlock option
+  4. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
 
   :::column-end:::
   :::column span="1":::
-    :::image type="content" source="images/hello-use.png" alt-text="Screenshot showing the passkey save dialog prompting the user to pick a location." lightbox="images/hello-use.png" border="false":::
+    :::image type="content" source="images/linked-device-use.png" alt-text="Screenshot showing that the linked device is connected to Windows." lightbox="images/linked-device-use.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::
   :::column span="3":::
 
-  5. The passkey is saved to your Windows device. Confirm by selecting **OK**
+  5. You are signed in to the website or app
 
   :::column-end:::
   :::column span="1":::
-  :::image type="content" source="images/hello-use.png" alt-text="Screenshot showing the passkey save dialog prompting the user to pick a location." lightbox="images/hello-use.png" border="false":::
   :::column-end:::
 :::row-end:::
 
@@ -270,11 +271,11 @@ Pick one of the following options to learn how to use a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  4. Unlock the security key using the key's unlock mechanism (for example, biometrics or PIN)
+  4. Unlock the security key using the key's unlock mechanism
 
   :::column-end:::
   :::column span="1":::
-    :::image type="content" source="images/security-key-use.png" alt-text="Screenshot showing the passkey save dialog prompting the user to pick a location." lightbox="images/security-key-use.png" border="false":::
+    :::image type="content" source="images/security-key-use.png" alt-text="Screenshot showing a prompt asking the user to unlock the security key." lightbox="images/security-key-use.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::

windows/security/identity-protection/toc.yml

@@ -5,7 +5,7 @@ items:
     items:
     - name: Passwordless strategy
       href: passwordless-strategy.md
-    - name: Windows Hello for Business 🔗
+    - name: Windows Hello for Business
       href: hello-for-business/toc.yml
     - name: Windows presence sensing
       href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb

windows/security/includes/sections/identity.md

@@ -14,7 +14,7 @@ ms.topic: include
 | **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in. <br><br>Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more. <br><br>For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
 | **[Windows Hello for Business passwordless](/windows/security/identity-protection/hello-for-business/passwordless)** | |
 | **[Passkey](/windows/security/identity-protection/passkey)** | |
-| **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
+| **[Security key (FIDO2)](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
 | **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
 | **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |