deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

passwordless strategy

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-12-22 10:47:05 -05:00
parent 4aa19482d1
commit 8a93daa0df
23 changed files with 689 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/security/identity-protection/passwordless-strategy/images/domain-properties-adac.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/lock-screen-scril.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 MiB

BIN
windows/security/identity-protection/passwordless-strategy/images/lock-screen.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 MiB

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-experience.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 MiB

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/exclude-credential-providers-properties.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-exclude-credential-providers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 506 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-require-smart-card-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 534 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/require-whfb-smart-card-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

28
windows/security/identity-protection/passwordless-strategy/images/step-1-off.svg Normal file
View File

@ -0,0 +1,28 @@
<svg width="276" height="93" viewBox="0 0 276 93" fill="none" xmlns="http://www.w3.org/2000/svg">
<g opacity="0.5">
<g filter="url(#filter0_dd_146_234)">
<rect x="17" y="2" width="255" height="85" rx="12" fill="#F5F5F5" shape-rendering="crispEdges"/>
<path d="M144.547 15.7656C148.109 15.7656 151.672 16.2656 155.234 17.2656C158.797 18.2344 162.156 19.6406 165.312 21.4844C168.469 23.3281 171.328 25.5625 173.891 28.1875C176.484 30.7812 178.609 33.6875 180.266 36.9062C180.453 37.3125 180.609 37.7188 180.734 38.125C180.859 38.5312 180.922 38.9531 180.922 39.3906C180.922 40.1719 180.781 40.8906 180.5 41.5469C180.219 42.1719 179.828 42.7188 179.328 43.1875C178.828 43.625 178.25 43.9688 177.594 44.2188C176.938 44.4688 176.234 44.5938 175.484 44.5938C174.516 44.5938 173.688 44.3438 173 43.8438C172.312 43.3125 171.719 42.6719 171.219 41.9219C170.812 41.2969 170.422 40.6719 170.047 40.0469C169.672 39.4219 169.266 38.8125 168.828 38.2188C167.422 36.3125 165.797 34.6094 163.953 33.1094C162.141 31.6094 160.188 30.3438 158.094 29.3125C156.031 28.25 153.844 27.4531 151.531 26.9219C149.25 26.3594 146.922 26.0781 144.547 26.0781C141.953 26.0781 139.422 26.4062 136.953 27.0625C134.484 27.6875 132.141 28.6094 129.922 29.8281C127.734 31.0469 125.703 32.5312 123.828 34.2812C121.953 36 120.312 37.9531 118.906 40.1406C118.688 40.4844 118.5 40.8125 118.344 41.125C118.188 41.4062 118 41.7188 117.781 42.0625C117.312 42.8438 116.688 43.4688 115.906 43.9375C115.125 44.375 114.281 44.5938 113.375 44.5938C112.656 44.5938 111.984 44.4531 111.359 44.1719C110.734 43.8906 110.188 43.5156 109.719 43.0469C109.25 42.5781 108.875 42.0312 108.594 41.4062C108.312 40.7812 108.172 40.1094 108.172 39.3906C108.172 38.5469 108.391 37.7188 108.828 36.9062C110.641 33.625 112.812 30.6875 115.344 28.0938C117.906 25.4688 120.719 23.25 123.781 21.4375C126.875 19.5938 130.172 18.1875 133.672 17.2188C137.172 16.25 140.797 15.7656 144.547 15.7656ZM144.547 41.5938C146.609 41.5938 148.547 41.9844 150.359 42.7656C152.172 43.5469 153.75 44.625 155.094 46C156.438 47.3438 157.5 48.9219 158.281 50.7344C159.062 52.5469 159.453 54.4844 159.453 56.5469C159.453 58.6406 159.047 60.5938 158.234 62.4062C157.453 64.2188 156.375 65.7969 155 67.1406C153.656 68.4844 152.078 69.5469 150.266 70.3281C148.453 71.1094 146.516 71.5 144.453 71.5C142.359 71.5 140.406 71.1094 138.594 70.3281C136.812 69.5469 135.25 68.4844 133.906 67.1406C132.594 65.7656 131.547 64.1719 130.766 62.3594C130.016 60.5156 129.641 58.5625 129.641 56.5C129.641 54.4375 130.031 52.5156 130.812 50.7344C131.594 48.9219 132.656 47.3438 134 46C135.375 44.625 136.953 43.5469 138.734 42.7656C140.547 41.9844 142.484 41.5938 144.547 41.5938Z" fill="#0078D4"/>
</g>
<circle cx="17" cy="36" r="17" fill="#0078D4"/>
<path d="M19.3284 28.9167V43.1138H17.0816V31.667C16.6749 31.9575 16.2359 32.2061 15.7646 32.4127C15.2997 32.6128 14.7671 32.7904 14.1667 32.9453V31.0279C14.5411 30.9052 14.9027 30.7761 15.2513 30.6405C15.5999 30.5049 15.9421 30.3532 16.2778 30.1853C16.62 30.0175 16.9622 29.8302 17.3044 29.6236C17.653 29.417 18.0113 29.1814 18.3793 28.9167H19.3284Z" fill="white"/>
</g>
<defs>
<filter id="filter0_dd_146_234" x="13" y="0" width="263" height="93" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="1"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.12 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_146_234"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset dy="2"/>
<feGaussianBlur stdDeviation="2"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.14 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_146_234" result="effect2_dropShadow_146_234"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_146_234" result="shape"/>
</filter>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.1 KiB

26
windows/security/identity-protection/passwordless-strategy/images/step-1-on.svg Normal file
View File

@ -0,0 +1,26 @@
<svg width="276" height="93" viewBox="0 0 276 93" fill="none" xmlns="http://www.w3.org/2000/svg">
<g filter="url(#filter0_dd_125_16)">
<rect x="17" y="2" width="255" height="85" rx="12" fill="#F5F5F5" shape-rendering="crispEdges"/>
<path d="M144.547 15.7656C148.109 15.7656 151.672 16.2656 155.234 17.2656C158.797 18.2344 162.156 19.6406 165.312 21.4844C168.469 23.3281 171.328 25.5625 173.891 28.1875C176.484 30.7812 178.609 33.6875 180.266 36.9062C180.453 37.3125 180.609 37.7188 180.734 38.125C180.859 38.5312 180.922 38.9531 180.922 39.3906C180.922 40.1719 180.781 40.8906 180.5 41.5469C180.219 42.1719 179.828 42.7188 179.328 43.1875C178.828 43.625 178.25 43.9688 177.594 44.2188C176.938 44.4688 176.234 44.5938 175.484 44.5938C174.516 44.5938 173.688 44.3438 173 43.8438C172.312 43.3125 171.719 42.6719 171.219 41.9219C170.812 41.2969 170.422 40.6719 170.047 40.0469C169.672 39.4219 169.266 38.8125 168.828 38.2188C167.422 36.3125 165.797 34.6094 163.953 33.1094C162.141 31.6094 160.188 30.3438 158.094 29.3125C156.031 28.25 153.844 27.4531 151.531 26.9219C149.25 26.3594 146.922 26.0781 144.547 26.0781C141.953 26.0781 139.422 26.4062 136.953 27.0625C134.484 27.6875 132.141 28.6094 129.922 29.8281C127.734 31.0469 125.703 32.5312 123.828 34.2812C121.953 36 120.312 37.9531 118.906 40.1406C118.688 40.4844 118.5 40.8125 118.344 41.125C118.188 41.4062 118 41.7188 117.781 42.0625C117.312 42.8438 116.688 43.4688 115.906 43.9375C115.125 44.375 114.281 44.5938 113.375 44.5938C112.656 44.5938 111.984 44.4531 111.359 44.1719C110.734 43.8906 110.188 43.5156 109.719 43.0469C109.25 42.5781 108.875 42.0312 108.594 41.4062C108.312 40.7812 108.172 40.1094 108.172 39.3906C108.172 38.5469 108.391 37.7188 108.828 36.9062C110.641 33.625 112.812 30.6875 115.344 28.0938C117.906 25.4688 120.719 23.25 123.781 21.4375C126.875 19.5938 130.172 18.1875 133.672 17.2188C137.172 16.25 140.797 15.7656 144.547 15.7656ZM144.547 41.5938C146.609 41.5938 148.547 41.9844 150.359 42.7656C152.172 43.5469 153.75 44.625 155.094 46C156.438 47.3438 157.5 48.9219 158.281 50.7344C159.062 52.5469 159.453 54.4844 159.453 56.5469C159.453 58.6406 159.047 60.5938 158.234 62.4062C157.453 64.2188 156.375 65.7969 155 67.1406C153.656 68.4844 152.078 69.5469 150.266 70.3281C148.453 71.1094 146.516 71.5 144.453 71.5C142.359 71.5 140.406 71.1094 138.594 70.3281C136.812 69.5469 135.25 68.4844 133.906 67.1406C132.594 65.7656 131.547 64.1719 130.766 62.3594C130.016 60.5156 129.641 58.5625 129.641 56.5C129.641 54.4375 130.031 52.5156 130.812 50.7344C131.594 48.9219 132.656 47.3438 134 46C135.375 44.625 136.953 43.5469 138.734 42.7656C140.547 41.9844 142.484 41.5938 144.547 41.5938Z" fill="#0078D4"/>
</g>
<circle cx="17" cy="36" r="17" fill="#0078D4"/>
<path d="M19.3284 28.9167V43.1138H17.0816V31.667C16.6749 31.9575 16.2359 32.2061 15.7646 32.4127C15.2997 32.6128 14.7671 32.7904 14.1667 32.9453V31.0278C14.5411 30.9052 14.9027 30.776 15.2513 30.6405C15.5999 30.5049 15.9421 30.3532 16.2778 30.1853C16.62 30.0174 16.9622 29.8302 17.3044 29.6236C17.653 29.417 18.0113 29.1814 18.3793 28.9167H19.3284Z" fill="white"/>
<defs>
<filter id="filter0_dd_125_16" x="13" y="0" width="263" height="93" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="1"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.12 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_125_16"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset dy="2"/>
<feGaussianBlur stdDeviation="2"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.14 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_125_16" result="effect2_dropShadow_125_16"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_125_16" result="shape"/>
</filter>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.1 KiB

28
windows/security/identity-protection/passwordless-strategy/images/step-2-off.svg Normal file
View File

@ -0,0 +1,28 @@
<svg width="276" height="93" viewBox="0 0 276 93" fill="none" xmlns="http://www.w3.org/2000/svg">
<g opacity="0.5">
<g filter="url(#filter0_dd_146_240)">
<rect x="17" y="2" width="255" height="85" rx="12" fill="#F5F5F5" shape-rendering="crispEdges"/>
<path d="M142.125 61.4167V63.8333C142.125 65.168 141.062 66.25 139.75 66.25H135V68.6667C135 71.336 132.873 73.5 130.25 73.5H120.75C118.127 73.5 116 71.336 116 68.6667V62.4177C116 61.1358 116.5 59.9064 117.391 59L135.77 40.2984C135.269 38.5633 135 36.7285 135 34.8333C135 24.1558 143.507 15.5 154 15.5C164.493 15.5 173 24.1558 173 34.8333C173 45.5108 164.493 54.1667 154 54.1667H149.25V59C149.25 60.3347 148.187 61.4167 146.875 61.4167H142.125ZM158.75 34.8333C161.373 34.8333 163.5 32.6694 163.5 30C163.5 27.3306 161.373 25.1667 158.75 25.1667C156.127 25.1667 154 27.3306 154 30C154 32.6694 156.127 34.8333 158.75 34.8333Z" fill="#0078D4"/>
</g>
<circle cx="17" cy="36" r="17" fill="#0078D4"/>
<path d="M21.4658 43.0363H12.75V41.9614C12.75 41.5223 12.8113 41.1124 12.934 40.7315C13.0567 40.3441 13.2213 39.9826 13.4279 39.6468C13.6345 39.3047 13.8766 38.9851 14.1542 38.6881C14.4318 38.3847 14.7288 38.0941 15.0452 37.8165C15.3615 37.5324 15.6843 37.2613 16.0136 37.003C16.3429 36.7383 16.6657 36.4736 16.982 36.2089C17.279 35.9571 17.5502 35.7118 17.7955 35.4729C18.0408 35.2276 18.2507 34.9758 18.425 34.7175C18.5993 34.4593 18.7349 34.1881 18.8317 33.9041C18.9285 33.6135 18.977 33.3004 18.977 32.9647C18.977 32.5967 18.9189 32.2771 18.8027 32.006C18.6929 31.7283 18.5347 31.4992 18.3281 31.3184C18.128 31.1312 17.8891 30.9923 17.6115 30.902C17.3339 30.8051 17.0304 30.7567 16.7012 30.7567C16.133 30.7567 15.5552 30.889 14.9677 31.1537C14.3802 31.4185 13.8153 31.8155 13.2729 32.3449V30.1853C13.557 29.9723 13.8443 29.7883 14.1348 29.6333C14.4254 29.4719 14.7256 29.3396 15.0355 29.2363C15.3454 29.1265 15.6714 29.0458 16.0136 28.9942C16.3558 28.9425 16.7205 28.9167 17.1079 28.9167C17.7342 28.9167 18.3023 29.0006 18.8123 29.1685C19.3224 29.3299 19.7582 29.572 20.1197 29.8948C20.4813 30.2111 20.7589 30.6082 20.9526 31.086C21.1527 31.5637 21.2528 32.1125 21.2528 32.7323C21.2528 33.294 21.1817 33.8008 21.0397 34.2527C20.9041 34.6982 20.7072 35.1146 20.449 35.502C20.1972 35.8893 19.8905 36.2573 19.529 36.606C19.1674 36.9546 18.7639 37.3129 18.3184 37.6809C17.944 37.9844 17.5695 38.2814 17.1951 38.5719C16.8271 38.8559 16.4946 39.1368 16.1976 39.4144C15.9006 39.6856 15.6585 39.96 15.4713 40.2376C15.2905 40.5087 15.2001 40.7831 15.2001 41.0607V41.1092H21.4658V43.0363Z" fill="white"/>
</g>
<defs>
<filter id="filter0_dd_146_240" x="13" y="0" width="263" height="93" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="1"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.12 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_146_240"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset dy="2"/>
<feGaussianBlur stdDeviation="2"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.14 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_146_240" result="effect2_dropShadow_146_240"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_146_240" result="shape"/>
</filter>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

26
windows/security/identity-protection/passwordless-strategy/images/step-2-on.svg Normal file
View File

@ -0,0 +1,26 @@
<svg width="276" height="93" viewBox="0 0 276 93" fill="none" xmlns="http://www.w3.org/2000/svg">
<g filter="url(#filter0_dd_125_22)">
<rect x="17" y="2" width="255" height="85" rx="12" fill="#F5F5F5" shape-rendering="crispEdges"/>
<path d="M142.125 61.4167V63.8333C142.125 65.168 141.062 66.25 139.75 66.25H135V68.6667C135 71.336 132.873 73.5 130.25 73.5H120.75C118.127 73.5 116 71.336 116 68.6667V62.4177C116 61.1358 116.5 59.9064 117.391 59L135.77 40.2984C135.269 38.5633 135 36.7285 135 34.8333C135 24.1558 143.507 15.5 154 15.5C164.493 15.5 173 24.1558 173 34.8333C173 45.5108 164.493 54.1667 154 54.1667H149.25V59C149.25 60.3347 148.187 61.4167 146.875 61.4167H142.125ZM158.75 34.8333C161.373 34.8333 163.5 32.6694 163.5 30C163.5 27.3306 161.373 25.1667 158.75 25.1667C156.127 25.1667 154 27.3306 154 30C154 32.6694 156.127 34.8333 158.75 34.8333Z" fill="#0078D4"/>
</g>
<circle cx="17" cy="36" r="17" fill="#0078D4"/>
<path d="M21.4658 43.0363H12.75V41.9613C12.75 41.5223 12.8113 41.1123 12.934 40.7314C13.0567 40.3441 13.2213 39.9825 13.4279 39.6468C13.6345 39.3046 13.8766 38.985 14.1542 38.6881C14.4318 38.3846 14.7288 38.0941 15.0452 37.8165C15.3615 37.5324 15.6843 37.2612 16.0136 37.003C16.3429 36.7383 16.6657 36.4736 16.982 36.2089C17.279 35.9571 17.5502 35.7118 17.7955 35.4729C18.0408 35.2276 18.2507 34.9758 18.425 34.7175C18.5993 34.4593 18.7349 34.1881 18.8317 33.904C18.9285 33.6135 18.977 33.3004 18.977 32.9647C18.977 32.5967 18.9189 32.2771 18.8027 32.0059C18.6929 31.7283 18.5347 31.4991 18.3281 31.3183C18.128 31.1311 17.8891 30.9923 17.6115 30.9019C17.3339 30.8051 17.0304 30.7567 16.7012 30.7567C16.133 30.7567 15.5552 30.889 14.9677 31.1537C14.3802 31.4184 13.8153 31.8155 13.2729 32.3449V30.1853C13.557 29.9722 13.8443 29.7882 14.1348 29.6333C14.4254 29.4719 14.7256 29.3395 15.0355 29.2362C15.3454 29.1265 15.6714 29.0458 16.0136 28.9941C16.3558 28.9425 16.7205 28.9167 17.1079 28.9167C17.7342 28.9167 18.3023 29.0006 18.8123 29.1684C19.3224 29.3299 19.7582 29.572 20.1197 29.8948C20.4813 30.2111 20.7589 30.6082 20.9526 31.0859C21.1527 31.5637 21.2528 32.1125 21.2528 32.7322C21.2528 33.2939 21.1817 33.8007 21.0397 34.2527C20.9041 34.6982 20.7072 35.1146 20.449 35.5019C20.1972 35.8893 19.8905 36.2573 19.529 36.6059C19.1674 36.9546 18.7639 37.3129 18.3184 37.6809C17.944 37.9843 17.5695 38.2813 17.1951 38.5718C16.8271 38.8559 16.4946 39.1368 16.1976 39.4144C15.9006 39.6855 15.6585 39.9599 15.4713 40.2375C15.2905 40.5087 15.2001 40.7831 15.2001 41.0607V41.1091H21.4658V43.0363Z" fill="white"/>
<defs>
<filter id="filter0_dd_125_22" x="13" y="0" width="263" height="93" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="1"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.12 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_125_22"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset dy="2"/>
<feGaussianBlur stdDeviation="2"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.14 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_125_22" result="effect2_dropShadow_125_22"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_125_22" result="shape"/>
</filter>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.5 KiB

28
windows/security/identity-protection/passwordless-strategy/images/step-3-off.svg Normal file
View File

@ -0,0 +1,28 @@
<svg width="276" height="93" viewBox="0 0 276 93" fill="none" xmlns="http://www.w3.org/2000/svg">
<g opacity="0.5">
<g filter="url(#filter0_dd_146_246)">
<rect x="17" y="2" width="255" height="85" rx="12" fill="#F5F5F5" shape-rendering="crispEdges"/>
<path d="M131.264 22.9776C134.855 20.9339 139.927 19.8967 145.233 20.1063C150.529 20.3153 155.793 21.7558 159.767 24.3776C160.833 25.0807 162.275 24.7985 162.988 23.7473C163.701 22.696 163.414 21.2739 162.349 20.5708C157.51 17.3787 151.365 15.7648 145.419 15.5301C139.485 15.2959 133.486 16.4256 128.943 19.0106C127.833 19.6426 127.452 21.0429 128.093 22.1384C128.733 23.2338 130.153 23.6096 131.264 22.9776ZM147.452 24.3404C146.183 24.1645 145.009 25.0372 144.83 26.2896C144.652 27.542 145.537 28.6998 146.807 28.8757C155.614 30.0954 160.844 35.0273 163.993 40.0891C167.179 45.2111 168.173 50.3958 168.385 51.7274C168.583 52.9768 169.771 53.8311 171.037 53.6355C172.304 53.4399 173.17 52.2684 172.972 51.0189C172.717 49.4116 171.594 43.5512 167.95 37.694C164.269 31.7767 157.959 25.7955 147.452 24.3404ZM136.807 40.3748C131.143 44.8737 127.798 54.6086 133.943 67.1676C134.501 68.3065 134.016 69.6755 132.862 70.2252C131.707 70.7749 130.319 70.2972 129.762 69.1583C122.879 55.0931 126.213 42.9099 133.895 36.8078C137.695 33.7888 142.503 32.3421 147.375 33.031C152.267 33.7227 157.004 36.5343 160.733 41.6313C161.483 42.6569 161.249 44.0882 160.209 44.8282C159.169 45.5683 157.718 45.3368 156.968 44.3113C153.877 40.086 150.201 38.0573 146.716 37.5645C143.211 37.0688 139.679 38.0933 136.807 40.3748ZM144.001 70.2079C140.173 62.4473 139.064 55.9616 139.788 51.7298C140.146 49.6365 140.919 48.2594 141.842 47.4522C142.724 46.6818 143.967 46.231 145.751 46.3978C148.152 46.6224 149.217 47.3829 149.863 48.2314C150.64 49.25 151.076 50.7122 151.575 52.9205C151.636 53.1902 151.697 53.4675 151.759 53.7517C152.67 57.8878 153.898 63.4677 159.649 67.7861C160.669 68.5522 162.126 68.3574 162.902 67.3511C163.679 66.3448 163.482 64.9081 162.461 64.1421C158.104 60.8701 157.2 56.8189 156.264 52.6281L156.264 52.6248C156.212 52.3921 156.159 52.1581 156.107 51.9246C155.63 49.816 155.037 47.3978 153.574 45.4792C151.982 43.3906 149.599 42.1573 146.189 41.8385C143.32 41.5702 140.745 42.2921 138.763 44.0244C136.823 45.72 135.687 48.1758 135.209 50.9679C134.262 56.507 135.777 64.0021 139.825 72.2112C140.386 73.3485 141.775 73.822 142.928 73.2688C144.081 72.7156 144.561 71.3452 144.001 70.2079ZM125.63 24.5916C126.496 25.5242 126.432 26.9727 125.486 27.8269C122.651 30.3888 120.887 33.2312 120.342 34.1812C119.709 35.2814 118.292 35.6677 117.177 35.044C116.062 34.4203 115.67 33.0228 116.302 31.9226C116.969 30.7629 119.013 27.4647 122.35 24.4497C123.296 23.5955 124.764 23.659 125.63 24.5916ZM164.116 51.3272C163.878 50.0844 162.664 49.2667 161.404 49.5009C160.144 49.7351 159.315 50.9324 159.553 52.1752C160.419 56.7093 162.544 60.4986 166.418 62.859C167.509 63.5236 168.939 63.1901 169.613 62.1142C170.287 61.0382 169.949 59.6272 168.858 58.9626C166.374 57.4494 164.808 54.9546 164.116 51.3272ZM145.031 51.3711C146.308 51.2654 147.431 52.2013 147.538 53.4616C148.238 61.692 152.402 66.8915 153.542 68.171C154.389 69.1209 154.294 70.5678 153.331 71.4027C152.368 72.2375 150.901 72.1442 150.055 71.1943C148.562 69.5189 143.726 63.4248 142.911 53.8445C142.804 52.5842 143.753 51.4769 145.031 51.3711ZM138.764 29.5908C139.941 29.0875 140.481 27.739 139.97 26.5788C139.46 25.4185 138.093 24.8859 136.917 25.3891C126.292 29.9345 121.425 37.6759 119.323 44.6462C117.245 51.5336 117.855 57.6635 118.076 59.3094C118.244 60.5632 119.41 61.4452 120.681 61.2796C121.953 61.1139 122.847 59.9632 122.679 58.7094C122.499 57.3663 121.96 51.9637 123.773 45.9523C125.561 40.0237 129.627 33.5 138.764 29.5908Z" fill="#0078D4"/>
</g>
<circle cx="17" cy="36" r="17" fill="#0078D4"/>
<path d="M12.75 42.5231V40.4119C13.6539 41.1285 14.6739 41.4868 15.8102 41.4868C16.7335 41.4868 17.4695 41.277 18.0182 40.8574C18.5735 40.4377 18.8511 39.8696 18.8511 39.1529C18.8511 37.5776 17.647 36.79 15.2389 36.79H14.1639V34.9887H15.1904C17.3274 34.9887 18.3959 34.2462 18.3959 32.7613C18.3959 31.3926 17.5631 30.7083 15.8974 30.7083C14.9677 30.7083 14.0929 31.0408 13.2729 31.7057V29.7108C14.2155 29.1814 15.3292 28.9167 16.614 28.9167C17.8471 28.9167 18.8349 29.2266 19.5774 29.8464C20.3199 30.4662 20.6911 31.2603 20.6911 32.2287C20.6911 34.0558 19.7614 35.2308 17.902 35.7538V35.7925C18.9027 35.8893 19.6936 36.2412 20.2747 36.8481C20.8557 37.4485 21.1462 38.2006 21.1462 39.1045C21.1462 40.3506 20.6782 41.3577 19.742 42.126C18.8059 42.8878 17.5728 43.2687 16.0426 43.2687C14.6675 43.2687 13.5699 43.0202 12.75 42.5231Z" fill="white"/>
</g>
<defs>
<filter id="filter0_dd_146_246" x="13" y="0" width="263" height="93" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="1"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.12 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_146_246"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset dy="2"/>
<feGaussianBlur stdDeviation="2"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.14 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_146_246" result="effect2_dropShadow_146_246"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_146_246" result="shape"/>
</filter>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

26
windows/security/identity-protection/passwordless-strategy/images/step-3-on.svg Normal file
View File

@ -0,0 +1,26 @@
<svg width="276" height="93" viewBox="0 0 276 93" fill="none" xmlns="http://www.w3.org/2000/svg">
<g filter="url(#filter0_dd_126_58)">
<rect x="17" y="2" width="255" height="85" rx="12" fill="#F5F5F5" shape-rendering="crispEdges"/>
<path d="M131.264 22.9776C134.855 20.9339 139.927 19.8967 145.233 20.1063C150.529 20.3153 155.793 21.7558 159.767 24.3776C160.833 25.0807 162.275 24.7985 162.988 23.7473C163.701 22.696 163.414 21.2739 162.349 20.5708C157.51 17.3787 151.365 15.7648 145.419 15.5301C139.485 15.2959 133.486 16.4256 128.943 19.0106C127.833 19.6426 127.452 21.0429 128.093 22.1384C128.733 23.2338 130.153 23.6096 131.264 22.9776ZM147.452 24.3404C146.183 24.1645 145.009 25.0372 144.83 26.2896C144.652 27.542 145.537 28.6998 146.807 28.8757C155.614 30.0954 160.844 35.0273 163.993 40.0891C167.179 45.2111 168.173 50.3958 168.385 51.7274C168.583 52.9768 169.771 53.8311 171.037 53.6355C172.304 53.4399 173.17 52.2684 172.972 51.0189C172.717 49.4116 171.594 43.5512 167.95 37.694C164.269 31.7767 157.959 25.7955 147.452 24.3404ZM136.807 40.3748C131.143 44.8737 127.798 54.6086 133.943 67.1676C134.501 68.3065 134.016 69.6755 132.862 70.2252C131.707 70.7749 130.319 70.2972 129.762 69.1583C122.879 55.0931 126.213 42.9099 133.895 36.8078C137.695 33.7888 142.503 32.3421 147.375 33.031C152.267 33.7227 157.004 36.5343 160.733 41.6313C161.483 42.6569 161.249 44.0882 160.209 44.8282C159.169 45.5683 157.718 45.3368 156.968 44.3113C153.877 40.086 150.201 38.0573 146.716 37.5645C143.211 37.0688 139.679 38.0933 136.807 40.3748ZM144.001 70.2079C140.173 62.4473 139.064 55.9616 139.788 51.7298C140.146 49.6365 140.919 48.2594 141.842 47.4522C142.724 46.6818 143.967 46.231 145.751 46.3978C148.152 46.6224 149.217 47.3829 149.863 48.2314C150.64 49.25 151.076 50.7122 151.575 52.9205C151.636 53.1902 151.697 53.4675 151.759 53.7517C152.67 57.8878 153.898 63.4677 159.649 67.7861C160.669 68.5522 162.126 68.3574 162.902 67.3511C163.679 66.3448 163.482 64.9081 162.461 64.1421C158.104 60.8701 157.2 56.8189 156.264 52.6281L156.264 52.6248C156.212 52.3921 156.159 52.1581 156.107 51.9246C155.63 49.816 155.037 47.3978 153.574 45.4792C151.982 43.3906 149.599 42.1573 146.189 41.8385C143.32 41.5702 140.745 42.2921 138.763 44.0244C136.823 45.72 135.687 48.1758 135.209 50.9679C134.262 56.507 135.777 64.0021 139.825 72.2112C140.386 73.3485 141.775 73.822 142.928 73.2688C144.081 72.7156 144.561 71.3452 144.001 70.2079ZM125.63 24.5916C126.496 25.5242 126.432 26.9727 125.486 27.8269C122.651 30.3888 120.887 33.2312 120.342 34.1812C119.709 35.2814 118.292 35.6677 117.177 35.044C116.062 34.4203 115.67 33.0228 116.302 31.9226C116.969 30.7629 119.013 27.4647 122.35 24.4497C123.296 23.5955 124.764 23.659 125.63 24.5916ZM164.116 51.3272C163.878 50.0844 162.664 49.2667 161.404 49.5009C160.144 49.7351 159.315 50.9324 159.553 52.1752C160.419 56.7093 162.544 60.4986 166.418 62.859C167.509 63.5236 168.939 63.1901 169.613 62.1142C170.287 61.0382 169.949 59.6272 168.858 58.9626C166.374 57.4494 164.808 54.9546 164.116 51.3272ZM145.031 51.3711C146.308 51.2654 147.431 52.2013 147.538 53.4616C148.238 61.692 152.402 66.8915 153.542 68.171C154.389 69.1209 154.294 70.5678 153.331 71.4027C152.368 72.2375 150.901 72.1442 150.055 71.1943C148.562 69.5189 143.726 63.4248 142.911 53.8445C142.804 52.5842 143.753 51.4769 145.031 51.3711ZM138.764 29.5908C139.941 29.0875 140.481 27.739 139.97 26.5788C139.46 25.4185 138.093 24.8859 136.917 25.3891C126.292 29.9345 121.425 37.6759 119.323 44.6462C117.245 51.5336 117.855 57.6635 118.076 59.3094C118.244 60.5632 119.41 61.4452 120.681 61.2796C121.953 61.1139 122.847 59.9632 122.679 58.7094C122.499 57.3663 121.96 51.9637 123.773 45.9523C125.561 40.0237 129.627 33.5 138.764 29.5908Z" fill="#0078D4"/>
</g>
<circle cx="17" cy="36" r="17" fill="#0078D4"/>
<path d="M12.75 42.523V40.4119C13.6539 41.1285 14.6739 41.4868 15.8102 41.4868C16.7335 41.4868 17.4695 41.277 18.0182 40.8573C18.5735 40.4377 18.8511 39.8695 18.8511 39.1529C18.8511 37.5776 17.647 36.7899 15.2389 36.7899H14.1639V34.9887H15.1904C17.3274 34.9887 18.3959 34.2462 18.3959 32.7613C18.3959 31.3926 17.5631 30.7082 15.8974 30.7082C14.9677 30.7082 14.0929 31.0407 13.2729 31.7057V29.7108C14.2155 29.1814 15.3292 28.9167 16.614 28.9167C17.8471 28.9167 18.8349 29.2266 19.5774 29.8463C20.3199 30.4661 20.6911 31.2602 20.6911 32.2287C20.6911 34.0558 19.7614 35.2308 17.902 35.7537V35.7925C18.9027 35.8893 19.6936 36.2412 20.2747 36.8481C20.8557 37.4485 21.1462 38.2006 21.1462 39.1045C21.1462 40.3505 20.6782 41.3577 19.742 42.126C18.8059 42.8878 17.5728 43.2687 16.0426 43.2687C14.6675 43.2687 13.5699 43.0201 12.75 42.523Z" fill="white"/>
<defs>
<filter id="filter0_dd_126_58" x="13" y="0" width="263" height="93" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="1"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.12 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_126_58"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset dy="2"/>
<feGaussianBlur stdDeviation="2"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.14 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_126_58" result="effect2_dropShadow_126_58"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_126_58" result="shape"/>
</filter>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

28
windows/security/identity-protection/passwordless-strategy/images/step-4-off.svg Normal file
View File

@ -0,0 +1,28 @@
<svg width="276" height="93" viewBox="0 0 276 93" fill="none" xmlns="http://www.w3.org/2000/svg">
<g opacity="0.5">
<g filter="url(#filter0_dd_146_252)">
<rect x="14.1561" y="2" width="257.844" height="85" rx="12" fill="#F5F5F5" shape-rendering="crispEdges"/>
<path d="M139.041 18.2864C141.353 15.7454 145.168 16.1164 147.034 18.1359V18.1429C147.084 18.1919 156.36 28.4748 156.353 28.4713C154.127 27.4318 148.108 26.0878 143.507 31.0438C143.486 31.0718 127.625 48.7081 127.625 48.7081L140.197 56.4535L136.005 59.0365C129.31 62.9985 122.644 60.8985 120.169 59.3725C119.764 59.1205 113.538 55.281 113.538 55.281C110.85 53.6501 110.263 50.2306 112.283 47.9976C112.998 47.2031 138.369 19.0249 139.041 18.2864ZM162.081 34.7258C162.07 34.6838 173.889 47.9941 173.935 48.0466C175.645 49.9856 175.602 53.5206 172.666 55.2741C172.132 55.5926 146.039 71.6784 146.039 71.6784C144.264 72.7739 141.964 72.7739 140.19 71.6784L127.838 64.087C132.556 65.1895 136.709 62.1935 136.709 62.1935L158.607 48.7011L145.448 34.0643C147.34 32.0763 149.818 30.5328 152.862 30.4558C152.899 30.4544 152.937 30.452 152.976 30.4495C153.034 30.4457 153.093 30.4418 153.153 30.4418C156.805 30.4418 160.161 32.0973 162.081 34.7258Z" fill="#0078D4"/>
</g>
<circle cx="17" cy="37" r="17" fill="#0078D4"/>
<path d="M19.7974 29.7074V38.675H21.8601V40.5441H19.7974V43.5946H17.6184V40.5441H11.3334V38.6556C11.9015 38.0165 12.4825 37.3257 13.0765 36.5832C13.6769 35.8343 14.2515 35.0725 14.8003 34.2977C15.3555 33.5165 15.8688 32.7353 16.3401 31.9541C16.8114 31.1729 17.2085 30.424 17.5313 29.7074H19.7974ZM17.6184 38.675V32.8451C16.9147 34.1105 16.2174 35.2145 15.5266 36.1571C14.8423 37.0997 14.1999 37.939 13.5995 38.675H17.6184Z" fill="white"/>
</g>
<defs>
<filter id="filter0_dd_146_252" x="10.1561" y="0" width="265.844" height="93" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="1"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.12 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_146_252"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset dy="2"/>
<feGaussianBlur stdDeviation="2"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.14 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_146_252" result="effect2_dropShadow_146_252"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_146_252" result="shape"/>
</filter>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

26
windows/security/identity-protection/passwordless-strategy/images/step-4-on.svg Normal file
View File

@ -0,0 +1,26 @@
<svg width="276" height="93" viewBox="0 0 276 93" fill="none" xmlns="http://www.w3.org/2000/svg">
<g filter="url(#filter0_dd_126_57)">
<rect x="14.1561" y="2" width="257.844" height="85" rx="12" fill="#F5F5F5" shape-rendering="crispEdges"/>
<path d="M139.041 18.2864C141.353 15.7454 145.168 16.1164 147.034 18.1359V18.1429C147.084 18.1919 156.36 28.4748 156.353 28.4713C154.127 27.4318 148.108 26.0878 143.507 31.0438C143.486 31.0718 127.625 48.7081 127.625 48.7081L140.197 56.4535L136.005 59.0365C129.31 62.9985 122.644 60.8985 120.169 59.3725C119.764 59.1205 113.538 55.281 113.538 55.281C110.85 53.6501 110.263 50.2306 112.283 47.9976C112.998 47.2031 138.369 19.0249 139.041 18.2864ZM162.081 34.7258C162.07 34.6838 173.889 47.9941 173.935 48.0466C175.645 49.9856 175.602 53.5206 172.666 55.2741C172.132 55.5926 146.039 71.6784 146.039 71.6784C144.264 72.7739 141.964 72.7739 140.19 71.6784L127.838 64.087C132.556 65.1895 136.709 62.1935 136.709 62.1935L158.607 48.7011L145.448 34.0643C147.34 32.0763 149.818 30.5328 152.862 30.4558C152.899 30.4544 152.937 30.452 152.976 30.4495C153.034 30.4457 153.093 30.4418 153.153 30.4418C156.805 30.4418 160.161 32.0973 162.081 34.7258Z" fill="#0078D4"/>
</g>
<circle cx="17" cy="37" r="17" fill="#0078D4"/>
<path d="M19.7974 29.7074V38.675H21.8601V40.544H19.7974V43.5946H17.6184V40.544H11.3334V38.6556C11.9015 38.0164 12.4825 37.3256 13.0765 36.5832C13.6769 35.8343 14.2515 35.0724 14.8003 34.2977C15.3555 33.5165 15.8688 32.7353 16.3401 31.9541C16.8114 31.1729 17.2085 30.424 17.5313 29.7074H19.7974ZM17.6184 38.675V32.8451C16.9147 34.1105 16.2174 35.2145 15.5266 36.1571C14.8423 37.0997 14.1999 37.939 13.5995 38.675H17.6184Z" fill="white"/>
<defs>
<filter id="filter0_dd_126_57" x="10.1561" y="0" width="265.844" height="93" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset/>
<feGaussianBlur stdDeviation="1"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.12 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_126_57"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
<feOffset dy="2"/>
<feGaussianBlur stdDeviation="2"/>
<feComposite in2="hardAlpha" operator="out"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.14 0"/>
<feBlend mode="normal" in2="effect1_dropShadow_126_57" result="effect2_dropShadow_126_57"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_126_57" result="shape"/>
</filter>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/user-properties-adac.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 155 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/user-properties-aduc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 136 KiB

153
windows/security/identity-protection/passwordless-strategy/index.md Normal file
View File

@ -0,0 +1,153 @@
---
title: Passwordless strategy overview
description: Learn about the passwordless strategy and how Windows security features help implementing it.
ms.topic: concept-article
ms.date: 12/13/2023
---
# Passwordless strategy overview
This article describes Microsoft's passwordless strategy and how Windows security features help implementing it.
## Four steps to password freedom
Microsoft is working hard to create a world where passwords are no longer needed. This is how Microsoft envisions the four steps approach to end the era of passwords for the organizations:
:::row:::
:::column span="1":::
:::image type="icon" source="images/step-1-on.svg" border="false":::
:::column-end:::
:::column span="3":::
### Deploy a password replacement option
:::column-end:::
:::row-end:::
Before you move away from passwords, you need something to replace them. Windows Hello for Business and FIDO2 security keys offer a strong, hardware-protected two-factor credential that enables single sign-on to Microsoft Entra ID and Active Directory.\
Deploy Windows Hello for Business or FIDO2 security keys is the first step toward a passwordless environment. Users are likely to use these features because of their convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative solution to passwords, and getting users accostumed to it.
:::row:::
:::column span="1":::
:::image type="icon" source="images/step-2-on.svg" border="false":::
:::column-end:::
:::column span="3":::
### Reduce user-visible password surface area
:::column-end:::
:::row-end:::
With a password replacement option and passwords coexisting in the environment, the next step is to reduce the password surface area. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, **but they never use it**. This state helps decondition users from providing a password anytime a password prompt shows on their computer. This behavior is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. **Password prompts are no longer the norm**.
In this phase, deploy *Windows passwordles experience* to reduce the password surface area by hiding the password credential provider from the user.
:::row:::
:::column span="1":::
:::image type="icon" source="images/step-3-on.svg" border="false":::
:::column-end:::
:::column span="3":::
### Transition into a passwordless deployment
:::column-end:::
:::row-end:::
Once the user-visible password surface is eliminated, your organization can begin to transition users into a passwordless environment. In this stage, users never type, change, or even know their password.\
The user signs in to Windows using Windows Hello for Business or FIDO2 security keys, and enjoys single sign-on to Microsoft Entra ID and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business or FIDO2 security keys.
:::row:::
:::column span="1":::
:::image type="icon" source="images/step-4-on.svg" border="false":::
:::column-end:::
:::column span="3":::
### Eliminate passwords from the identity directory
:::column-end:::
:::row-end:::
The final step of the passwordless journey is where passwords don't exist. At this stage, identity directories don't store any form of the password.
## Prepare for the passwordless journey
The road to being passwordless is a journey. The duration of the journey varies for each organization. It's important for IT decision makers to understand the criteria influencing the length of that journey.
The most intuitive answer is the size of the organization, but what exactly defines size? We can look at these factors to get a summary of the organization's size:
| Size factor | Details |
|--|--|
| **Number of departments**|The number of departments within an organization varies. Most organizations have a common set of departments such as *executive leadership*, *human resources*, *accounting*, *sales*, and *marketing*. Small organizations may not explicitly segment their departments, while larger ones may. Additionally, there may be subdepartments, and subdepartments of those subdepartments as well.<br><br>You need to know all the departments within your organization, and you need to know which departments use computers and which ones don't. It's fine if a department doesn't use computers (probably rare, but acceptable). This circumstance means there's one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you've assessed that it's not applicable.<br><br>Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This realization is why you need to inventory all of them. Also, don't forget to include external departments such as vendors or federated partners. If your organization goes passwordless, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy.|
| **Organization or department hierarchy**|Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they're used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device.|
| **Number and type of applications and services**|Most organizations have many applications and rarely have one centralized list that's accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. Changing policies and procedures can be a daunting task. Consider the trade-off between updating your standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.<br><br>Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf. If the latter, document the manufacturer and the version. Also, don't forget web-based applications or services when inventorying applications.|
| **Number of work personas**|Work personas are where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this information, you want to create a work persona.<br><br>A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There's a high probability that you'll have many work personas. These work personas will become units of work, and you'll refer to them in documentation and in meetings. You need to give them a name.<br><br>Give your personas easy and intuitive names like *Amanda - Accounting*, *Mark - Marketing*, or *Sue - Sales*. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, *Amanda* could be the first name of an individual contributor in any given department, while the first name *Sue* could represent someone from middle management in any given department. Additionally, you can use suffixes (such as *I*, *II*, *Senior*, etc.) to further define departmental structure for a given persona. <br><br>Ultimately, create a naming convention that doesn't require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you're talking about a person who is in that department and who uses that specific software.|
| **Organization's IT structure**|IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the *client authentication* team, the *deployment* team, the *security* team, the *PKI* team, the *identity* team, the *cloud* team, etc. Most of these teams will be your partner on your journey to password freedom. Ensure there's a passwordless stakeholder on each of these teams, and that the effort is understood and funded.|
## Assess your organization
By now you can understand why this is a journey and not a quick task. You need to investigate user-visible password surfaces for each of your work personas. Once you've identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's only a matter of moving users to it. Resolution to some passwords surfaces may exist, but aren't deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That project is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely affect productivity.
The time to complete the passwordless journey varies, depending on the organizational alignment to a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations mean less time spent convincing people and more time spent moving toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they've agreed on the strategy). Those resources will:
- Work through the work personas
- Organize and deploy user acceptance testing
- Evaluate user acceptance testing results for user visible password surfaces
- Work with stakeholders to create solutions that mitigate user visible password surfaces
- Add the solution to the project backlog and prioritize against other projects
- Deploy the solution
- Perform user acceptance testing to confirm that the solution mitigates the user visible password surface
- Repeat the testing as needed
Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it's likely that to go passwordless tomorrow is *n x 2* or more, *n x n*. Don't let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you'll see parts of your organization transition to a passwordless state.
What's the best guidance for kicking off the journey to password freedom? **You'll want to show your management a proof of concept as soon as possible**. Ideally, you want to show it at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused.
## Work persona
You begin with your work personas. These were part of your preparation process. They have a persona name, such as *Amanda - Accounting II*, or any other naming convention your organization defined. That work persona includes a list of all the applications *Amanda* uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. It's the targeted work persona you'll enable to complete the journey.
> [!TIP]
> Avoid using any work personas from your IT department. This method is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey.
Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These roles are the perfect work personas for your proof-of-concept (POC) or pilot.
Most organizations host their POC in a test lab or environment. If you do that test with a password-free strategy, it may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This process could take a few days or several weeks, depending on the complexity of the targeted work persona.
You'll want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline.
The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this:
:::row:::
:::column span="1":::
:::image type="icon" source="images/step-1-on.svg" border="false" link="journey-step-1.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-2-on.svg" border="false" link="journey-step-2.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-3-on.svg" border="false" link="journey-step-3.md":::
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
**[Deploy a passwordless replacement option](journey-step-1.md)**
- Identify test users representing the targeted work persona
- Deploy Windows Hello for Business to test users
- Validate that passwords and Windows Hello for Business work
:::column-end:::
:::column span="1":::
**[Reduce user-visible password surface](journey-step-2.md)**
- Survey test user workflow for password usage
- Identify password usage and plan, develop, and deploy password mitigations
- Repeat until all user password usage is mitigated
- Remove password capabilities from Windows
- Validate that **none of the workflows** need passwords
:::column-end:::
:::column span="1":::
**[Transition into a passwordless scenario](journey-step-3.md)**
- Awareness campaign and user education
- Include remaining users who fit the work persona
- Validate that **none of the users** of the work personas need passwords
- Configure user accounts to disallow password authentication
:::column-end:::
:::row-end:::
After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process.
## Next steps
> [!div class="nextstepaction"]
>
> [Step 1: deploy a passwordless replacement option >](journey-step-1.md)

61
windows/security/identity-protection/passwordless-strategy/journey-step-1.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Deploy a passwordless a replacement option
description: Learn about how to deploy a passwordless a replacement option, the first step of the Microsoft passwordless journey.
ms.topic: concept-article
ms.date: 12/13/2023
---
# Deploy a passwordless a replacement option
:::row:::
:::column span="1":::
:::image type="icon" source="images/step-1-on.svg" border="false" link="journey-step-1.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-2-off.svg" border="false" link="journey-step-2.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-3-off.svg" border="false" link="journey-step-3.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-4-off.svg" border="false":::
:::column-end:::
:::row-end:::
The first step to password freedom is providing an alternative to passwords.\
Windows provides an affordable and easy in-box alternative to passwords, *Windows Hello for Business*. Another option is to use *FIDO2 security keys*, but they require the organization to purchase and distribute them.
Both options provide a strong, two-factor authentication to Microsoft Entra ID and Active Directory.
## Identify test users representing the targeted work persona
A successful transition relies on user acceptance testing. It's impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
## Deploy Windows Hello for Business or FIDO2 security keys to test users
Next, you'll want to plan your password replacement deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business planning guide](..\hello-for-business\hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](..\hello-for-business\hello-deployment-guide.md) to deploy Windows Hello for Business. With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment.
If you decide to use FIDO2 security keys, follow the [Enable security key sign-in to Windows guide](/entra/identity/authentication/howto-authentication-passwordless-security-key-windows) to learn how to adopt FIDO2 security keys.
> [!NOTE]
> Deployments vary based on how the device is joined to Microsoft Entra ID. Review the planning guide and deployment guide to learn the type of infrastructure required to support your devices.
## Validate passwords and Windows Hello for Business or FIDO2 security keys
In this first step, passwords and your password replacement choice must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business or security keys, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
:::image type="content" source="images/lock-screen.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers." border="false":::
## Next steps
Before you move to step 2, make sure you've:
> [!div class="checklist"]
> - Selected your targeted work persona
> - Identified your test users who represent the targeted work persona
> - Deployed Windows Hello for Business or FIDO2 security keys to test users
> - Validated that both your password replacement choice and passwords work for the test users
> [!div class="nextstepaction"]
>
> [Step 2: reduce the user-visible password surface area >](journey-step-2.md)

105
windows/security/identity-protection/passwordless-strategy/journey-step-2.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Reduce the user-visible password surface area
description: Learn about how to reduce the user-visible password surface area, the second step of the Microsoft passwordless journey.
ms.topic: concept-article
ms.date: 12/13/2023
---
# Reduce the user-visible password surface area
:::row:::
:::column span="1":::
:::image type="icon" source="images/step-1-off.svg" border="false" link="journey-step-1.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-2-on.svg" border="false" link="journey-step-2.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-3-off.svg" border="false" link="journey-step-3.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-4-off.svg" border="false":::
:::column-end:::
:::row-end:::
## Survey test user workflow for password usage
Now is the time to learn more about the targeted work persona. You should have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2. Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The goal is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
| :ballot_box_with_check: | Question |
|--|--|
| :black_square_button: | *What's the name of the application that asked for a password?* |
| :black_square_button: | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* |
| :black_square_button: | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* |
| :black_square_button: | *How frequently do you use the application in a given day or week?* |
| :black_square_button: | *Is the password you type into the application the same as the password you use to sign-in to Windows?* |
Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless.
## Identify password usage and plan, develop, and deploy password mitigations
Your test users have provided you valuable information that describes how, what, why, and when they use a password. It's now time for your team to identify each of these password use cases and understand why the user must use a password.\
Create a list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the ser is prompted by a password. Include relevant, but accurate details. If it's policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password.
Keep in mind your test users won't uncover all scenarios. Some scenarios you'll need to force on your users because they're low percentage scenarios. Remember to include the following scenarios:
- Provisioning a new brand new user without a password
- Users who forget the PIN or other remediation flows when the strong credential is unusable
Next, review your list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions, whichever of the two is easier or quicker. This choice varies by organization.
Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to educe the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded.
Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Microsoft Entra identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to integrate in your Microsoft Entra ID tenant, use federated identities, or use Windows integrated authentication. Work with third-party software vendors to update their software to integraate in Microsoft Entra ID, support federated identities, or use Windows integrated authentication.
## Repeat until all user password usage is mitigated
Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This stage is where you rely on your test users. You want to keep a good portion of your first test users, but this point is a good opportunity to replace or add a few. Survey test users workflow for password usage. If all goes well, you've closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you're stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you're out of options, contact Microsoft for assistance.
## Remove password capabilities from Windows
You believe you've mitigated all the password usage for the targeted work persona. Now comes the true test: configure Windows so the user can't use a password.
Windows provides three ways to prevent your users from using passwords. The following table describes the options and their pros and cons:
| Option | Description | Supported on | Pros | Cons |
| -|-|-|-|-|
| Passwordless experience | -|-|-|-|
| Interactive logon security policy to exclude the password credential provider| -|-|-|-|
| Interactive logon security policy to to only allow Windows Hello for Business or FIDO 2 security keys sign-ins and unlocks| -|-|-|-|
The following image shows the Windows lock screen when Windows passwordless experience is enabled. A user enrolled in Windows Hello for Business doesn't have the option to use a password to sign in:
:::image type="content" source="images/passwordless-experience.png" alt-text="Screenshot of the Windows lock screen with passwordless experience enabled." border="false":::
## Security policy
You can use the CSP or Group Policy to deploy an interactive logon security policy setting to the devices.
This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
### Excluding the password credential provider
You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
### Validate that none of the workflows needs passwords
This stage is the significant moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users won't be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Don't forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or can't use their strong credential. Ensure those scenarios are validated as well.
## Next steps
> [!div class="nextstepaction"]
> Congratulations! You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
>
> [Step 3: transition into a passwordless deployment >](journey-step-3.md)

145
windows/security/identity-protection/passwordless-strategy/journey-step-3.md Normal file
View File

@ -0,0 +1,145 @@
---
title: Transition into a passwordless deployment
description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
ms.topic: concept-article
ms.date: 12/13/2023
---
# Transition into a passwordless deployment
:::row:::
:::column span="1":::
:::image type="icon" source="images/step-1-off.svg" border="false" link="journey-step-1.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-2-off.svg" border="false" link="journey-step-2.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-3-on.svg" border="false" link="journey-step-3.md":::
:::column-end:::
:::column span="1":::
:::image type="icon" source="images/step-4-off.svg" border="false":::
:::column-end:::
:::row-end:::
## Awareness and user education
In this last step, you're going to include the remaining users that fit the targeted work persona to the passwordless deployment. Before you do this step, you want to invest in an awareness campaign.
An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience.
## Include remaining users that fit the work persona
You've implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment.
## Validate that none of the users of the work personas need passwords
You've successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they don't encounter any issues while working in a passwordless environment.
Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions:
| :ballot_box_with_check: | Question |
|--|--|
| :black_square_button: | *Is the reporting user performing a task outside the work persona?* |
| :black_square_button: | *Is the reported issue affecting the entire work persona, or only specific users?* |
| :black_square_button: | *Is the outage a result of a misconfiguration?* |
| :black_square_button: | *Is the outage an overlooked gap from step 2?* |
Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process.
Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it.
## Configure user accounts to disallow password authentication
You transitioned all the users for the targeted work persona to a passwordless environment and you've successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
### Users defined in Active Directory
If your users are defined in Active Directory, you can change their password to random data and prevent interactive password sign-ins using an account configuration on the user object.
:::row:::
:::column span="2":::
The account options on a user account include the option **Smart card is required for interactive logon**, also known as *SCRIL*.
> [!NOTE]
> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
:::column-end:::
:::column span="2":::
:::image type="content" source="images/user-properties-aduc.png" alt-text="Example user properties in Active Directory Users and Computers that shows the SCRIL setting on Account options." lightbox="images/user-properties-aduc.png" border="false":::
:::column-end:::
:::row-end:::
When you configure a user account for SCRIL:
- Active Directory changes the affected user's password to a random 128 bits of data
- Domain controllers don't allow the user to sign-in interactively with a password
- Users no longer need to change their password when it expires, because passwords for SCRIL users don't expire
The users are effectively password-less because:
- They don't know their password
- Their password is 128 random bits of data and is likely to include non-typable characters
- The user isn't asked to change their password
- Domain controllers don't allow passwords for interactive authentication
The following image shows the SCRIL setting for a user in Active Directory Administrative Center:
:::image type="content" source="images/user-properties-adac.png" alt-text="Example user properties in Active Directory Administrative Center that shows the SCRIL setting." border="false" lightbox="images/user-properties-adac.png":::
> [!TIP]
> Windows Hello for Business was formerly known as *Microsoft Passport*.
The following image shows the message on the Windows lock screen when a SCRIL-enabled user tries to sign in with a password from an Active Directory joined device:
:::image type="content" source="images/lock-screen-scril.png" alt-text="Screenshot of the Windows lock screen showing the SCRIL message." border="false":::
#### Automatic password change for SCRIL configured users
Domains configured for Windows Server 2016 or later domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages.
:::image type="content" source="images/domain-properties-adac.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL." border="false":::
> [!NOTE]
> Some components within Windows, such as *Data Protection APIs* and *NTLM authentication*, still need artifacts of a user possessing a password. The SCRIL option provides interoperability by reducing the password usage surface, while Microsoft continues to close the gaps to remove the password completely.
### Cloud-only users
If your users are defined in Microsoft Entra ID and not synchronized from Active Directory (cloud-only), you can use the Microsoft Graph API to change the user's password to a random value.
The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId.
Modify the **userId** variable of the script to match your environment (first line), and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with a role capable of resetting passwords.
```powershell
$userId = "<UPN of the user>"
function Generate-RandomPassword{
[CmdletBinding()]
param (
[int]$Length = 64
)
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{};:,.<>/?\|`~"
$random = New-Object System.Random
$password = ""
for ($i = 0; $i -lt $Length; $i++) {
$index = $random.Next(0, $chars.Length)
$password += $chars[$index]
}
return $password
}
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.Users.Actions
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All" -NoWelcome
$passwordParams = @{
UserId = $userId
AuthenticationMethodId = "28c10230-6103-485e-b985-444c60001490"
NewPassword = Generate-RandomPassword
}
Reset-MgUserAuthenticationMethodPassword @passwordParams
```

9
windows/security/identity-protection/passwordless-strategy/toc.yml Normal file
View File

@ -0,0 +1,9 @@
items:
- name: Overview
href: index.md
- name: 1. Deploy password replacement options
href: journey-step-1.md
- name: 2. Reduce the password surface area
href: journey-step-2.md
- name: 3. Transition into a passwordless deployment
href: journey-step-3.md