deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update Windows Hello for Business TOC and remove hello-videos.md

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-01-04 09:29:15 -05:00
parent 5e56151411
commit 88f0de1b84
6 changed files with 22 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.windows-security.json
View File

@ -8314,6 +8314,11 @@
"source_path": "windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/hello-for-business/hello-videos.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/",
"redirect_document_id": false
}
]
}

19
windows/security/identity-protection/hello-for-business/configure.md
View File

@ -13,19 +13,20 @@ Windows Hello for Business offers a variety of configuration options to accommod
You can configure Windows Hello for Business by using the following options:
- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. To configure Windows Hello for Business, you use the [PassportForWork CSP][CSP-2]
- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer), which are usually used at deployment time or for unamanged devices. To configure Windows Hello for Business, use the [PassportForWork CSP][CSP-2]
- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and aren't managed by a device management solution
- Provisioning packages: used to configure devices at deployment time or for devices that aren't managed by a device management solution
### Policy precedence
## Policy precedence
Some of the Windows Hello for Business policies are available for both computer and user configuration.
Some of the Windows Hello for Business policies are available for both computer and user configuration. The following list describes the policy precedence for Windows Hello for Business:
*user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used.
Policies for Windows Hello for Business are enforced using the following hierarchy:
- User GPO > Computer GPO > User MDM > Device MDM > Device Lock policy
- *User policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used
- Windows Hello for Business policy settings are enforced using the following hierarchy:
- User GPO
- Computer GPO
- User MDM
- Device MDM
- Device Lock policy
>[!IMPORTANT]
>All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.

10
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -297,7 +297,7 @@ All supported Windows Server versions can be used with Windows Hello for Busines
|| Deployment model | Trust type | Domain Controller OS version |
|-----------------------------|------------------|----------------|-----------------------------------------------------------------------------------------------------------|
| **🔲** | **Cloud-only** | n/a | All supported versions |
| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, [KB3534307][KB-3]<br>- Windows Server 2019, [KB4534321][KB-4], Windows Server 2022 |
| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, [KB3534307][KB-3]<br>- Windows Server 2019, [KB4534321][KB-4]<br>- Windows Server 2022 |
| **🔲** | **Hybrid** | Key | All supported versions |
| **🔲** | **Hybrid** | Certificate | All supported versions |
| **🔲** | **On-premises** | Key | All supported versions |
@ -305,11 +305,11 @@ All supported Windows Server versions can be used with Windows Hello for Busines
## Prepare users to enroll and use Windows Hello
When you enable Windows Hello for Business in your organization, make sure to prepare the users by explaining how to enroll and use Windows Hello.
When you are ready to enable Windows Hello for Business in your organization, make sure to prepare the users by explaining how to enroll and use Windows Hello.\
Since enrollment in Windows Hello requires multi-factor authentication, ensure you have a solution in place for users to use MFA during enrollment. Depending on the hardware, users might be prompted to register their fingerprint or face.
Ensure you have a strategy in place to ensure the users have an MFA option that is easy to use during enrollment.
Depending on the hardware, users might be prompted to register their fingerprint or face.
> [!TIP]
> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails).
The next video shows the Windows Hello for Business enrollment experience after a user signs in with a password:

36
windows/security/identity-protection/hello-for-business/hello-videos.md
View File

@ -1,36 +0,0 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
ms.date: 01/03/2024
ms.topic: get-started
---
# Windows Hello for Business Videos
## Overview of Windows Hello for Business and Features
Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
## Why PIN is more secure than a password
Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
## Microsoft's passwordless strategy
Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
## Windows Hello for Business Provisioning
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
## Windows Hello for Business Authentication
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]

1
windows/security/identity-protection/hello-for-business/how-it-works.md
View File

@ -58,6 +58,7 @@ The biometric data used to support Windows Hello is stored on the local device o
> [!NOTE]
>Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
> C:\WINDOWS\System32\WinBioDatabase
## Windows Hello for Business and password changes

5
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -38,7 +38,4 @@ items:
- name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
- name: Frequently Asked Questions (FAQ)
href: hello-faq.yml
- name: Windows Hello for Business videos
href: hello-videos.md
href: hello-faq.yml