deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into pm-20240708-BitLocker

Browse Source
This commit is contained in:
Stacyrch140 2024-07-08 12:38:11 -04:00 committed by GitHub
commit 8b71a859a6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
13 changed files with 65 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
View File

@ -37,7 +37,7 @@ Use the following instructions to configure your devices using either Microsoft
Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template.
The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
The process requires no user interaction, provided the user signs in using Windows Hello for Business. The certificate is renewed in the background before it expires.
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
@ -135,6 +135,6 @@ To better understand the authentication flows, review the following sequence dia
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/configuration/custom-settings-configure

8
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
View File

@ -34,7 +34,7 @@ ms.topic: tutorial
## Federated authentication to Microsoft Entra ID
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices.
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Microsoft Entra registered devices.
If you're new to AD FS and federation services:
@ -82,9 +82,9 @@ During Windows Hello for Business provisioning, users receive a sign-in certific
> [Next: configure and validate the Public Key Infrastructure >](hybrid-cert-trust-pki.md)
<!--links-->
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
[AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains
[AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual
[AZ-8]: /entra/identity/devices/hybrid-join-plan
[AZ-10]: /entra/identity/devices/how-to-hybrid-join#federated-domains
[AZ-11]: /entra/identity/devices/hybrid-join-manual
[SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
[SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -202,7 +202,7 @@ The following scenarios aren't supported using Windows Hello for Business cloud
<!--Links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
[MEM-1]: /mem/intune/configuration/custom-settings-configure

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
View File

@ -108,7 +108,7 @@ To better understand the authentication flows, review the following sequence dia
- [Microsoft Entra join authentication to Active Directory using a key](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-key)
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[AZ-5]: /entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/configuration/custom-settings-configure

13
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -146,7 +146,9 @@ The goal of Windows Hello for Business is to move organizations away from passwo
- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from non-Microsoft options that offer an AD FS MFA adapter. For more information, see [Microsoft and non-Microsoft additional authentication methods][SER-2]
> [!IMPORTANT]
> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2].
> Beginning July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication.
>
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
|| Deployment model | MFA options |
|--|--|--|
@ -159,7 +161,6 @@ The goal of Windows Hello for Business is to move organizations away from passwo
For more information:
- [Configure Microsoft Entra multifactor authentication settings][ENTRA-4]
- [Configure Azure MFA as authentication provider with AD FS][SER-1]
- [Manage an external authentication method in Microsoft Entra ID][ENTRA-11]
#### MFA and federated authentication
@ -205,6 +206,9 @@ Hybrid and on-premises deployments use directory synchronization, however, each
| **Hybrid** | Microsoft Entra Connect Sync|
| **On-premises** | Azure MFA server |
> [!IMPORTANT]
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
## Device configuration options
Windows Hello for Business provides a rich set of granular policy settings. There are two main options to configure Windows Hello for Business: configuration service provider (CSP) and group policy (GPO).
@ -240,6 +244,9 @@ Here are some considerations regarding licensing requirements for cloud services
| **🔲** | **On-premises** | Key | Azure MFA, if used as MFA solution |
| **🔲** | **On-premises** | Certificate | Azure MFA, if used as MFA solution |
> [!IMPORTANT]
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
## Operating System requirements
### Windows requirements
@ -291,7 +298,6 @@ Now that you've read about the different deployment options and requirements, yo
<!--links-->
[ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks
[ENTRA-2]: /entra/identity/authentication/howto-mfaserver-deploy
[ENTRA-3]: /entra/identity/hybrid/connect/how-to-connect-sync-whatis
[ENTRA-4]: /entra/identity/authentication/howto-mfa-mfasettings
[ENTRA-5]: /entra/identity/devices/hybrid-join-plan
@ -302,7 +308,6 @@ Now that you've read about the different deployment options and requirements, yo
[ENTRA-10]: /entra/identity/hybrid/connect/whatis-fed
[ENTRA-11]: /entra/identity/authentication/how-to-authentication-external-method-manage
[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
[SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods
[KB-1]: https://support.microsoft.com/topic/5010415

4
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
View File

@ -37,7 +37,7 @@ Follow the instructions below to configure your devices using either Microsoft I
Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template.
The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
The process requires no user interaction, provided the user signs in using Windows Hello for Business. The certificate is renewed in the background before it expires.
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
@ -86,4 +86,4 @@ To better understand the provisioning flows, review the following sequence diagr
- [Provisioning in an on-premises certificate trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-certificate-trust-deployment-model)
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
View File

@ -62,4 +62,4 @@ To better understand the provisioning flows, review the following sequence diagr
- [Provisioning in an on-premises key trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-key-trust-deployment-model)
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd

8
windows/security/identity-protection/hello-for-business/faq.yml
View File

@ -150,7 +150,7 @@ sections:
It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
For more information, see [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
For more information, see [Microsoft Entra registered devices](/entra/identity/devices/concept-device-registration).
- question: Does Windows Hello for Business work with non-Windows operating systems?
answer: |
Windows Hello for Business is a feature of the Windows platform.
@ -162,7 +162,7 @@ sections:
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
> [!NOTE]
> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/entra/identity/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
@ -203,7 +203,7 @@ sections:
questions:
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
@ -213,7 +213,7 @@ sections:
- question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
- a user signs-in for the first time or unlocks with Windows Hello for Business after provisioning
- a user signs in for the first time or unlocks with Windows Hello for Business after provisioning
- attempting to access on-premises resources secured by Active Directory
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |

4
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -15,7 +15,7 @@ PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to
### Identify PIN Reset allowed domains issue
The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
In federated environments, authentication may be configured to route to AD FS or a non-Microsoft identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
@ -23,7 +23,7 @@ If you're a customer of *Azure US Government* cloud, PIN reset also attempts to
### Resolve PIN Reset allowed domains issue
To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Microsoft Entra joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices).
To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Microsoft Entra joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-microsoft-entra-joined-devices).
## Hybrid key trust sign in broken due to user public key deletion

4
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -40,7 +40,7 @@ If the error occurs again, check the error code against the following table to s
| 0x80090035 | Policy requires TPM and the device doesn't have TPM. | Change the Windows Hello for Business policy to not require a TPM. |
| 0x80090036 | User canceled an interactive dialog. | User is asked to try again. |
| 0x801C0003 | User isn't authorized to enroll. | Check if the user has permission to perform the operation. |
| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/entra/identity/devices/manage-device-identities). |
| 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. |
| 0x801C0010 | The AIK certificate isn't valid or trusted. | Sign out and then sign in again. |
| 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. |
@ -53,7 +53,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
| 0x801C03EB | Server response http status isn't valid | Sign out and then sign in again. |
| 0x801C03EC | Unhandled exception from server. | sign out and then sign in again. |
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but wasn't performed. <br><br> -or- <br><br> Token wasn't found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User doesn't have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. |
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but wasn't performed. <br><br> -or- <br><br> Token wasn't found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User doesn't have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Microsoft Entra ID and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. |
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
| 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address. |

4
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -71,7 +71,7 @@ Sign-in to computer running Microsoft Entra Connect with access equivalent to *l
The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
1. Select **Sign in to Graph Explorer** and provide Azure credentials
1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials
> [!NOTE]
> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
@ -487,7 +487,7 @@ Certificate enrollment for Microsoft Entra joined devices occurs over the Intern
Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Microsoft Entra Application Proxies.
Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/entra/identity/app-proxy/#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
Connector group automatically round-robin, load balance the Microsoft Entra application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Microsoft Entra application proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.

26
windows/security/identity-protection/hello-for-business/pin-reset.md
View File

@ -49,7 +49,7 @@ To register the applications, follow these steps:
:::row:::
:::column span="3":::
1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in as at least an [Application Administrator][ENT-2]. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pin-reset/pin-reset-service-prompt.png" lightbox="images/pin-reset/pin-reset-service-prompt.png" border="true":::
@ -57,7 +57,7 @@ To register the applications, follow these steps:
:::row-end:::
:::row:::
:::column span="3":::
2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign as at least an [Application Administrator][ENT-2]. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pin-reset/pin-reset-client-prompt.png" lightbox="images/pin-reset/pin-reset-client-prompt.png" border="true":::
@ -76,7 +76,7 @@ To register the applications, follow these steps:
### Confirm that the two PIN Reset service principals are registered in your tenant
1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com)
1. Sign in to the [Microsoft Entra Manager admin center][ENTRA]
1. Select **Microsoft Entra ID > Applications > Enterprise applications**
1. Search by application name "Microsoft PIN" and verify that both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** are in the list
:::image type="content" alt-text="PIN reset service permissions page." source="images/pin-reset/pin-reset-applications.png" lightbox="images/pin-reset/pin-reset-applications-expanded.png":::
@ -103,7 +103,7 @@ The following instructions provide details how to configure your devices. Select
>[!NOTE]
> You can also configure PIN recovery from the **Endpoint security** blade:
>
> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
> 1. Sign in to the [Microsoft Intune admin center][INTUNE]
> 1. Select **Endpoint security > Account protection > Create Policy**
Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1].
@ -113,7 +113,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | True |
>[!NOTE]
> You must replace `TenantId` with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
> You must replace `TenantId` with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID][ENT-3] or try the following, ensuring to sign-in with your organization's account::
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id
@ -133,7 +133,7 @@ GET https://graph.microsoft.com/v1.0/organization?$select=id
#### Confirm that PIN Recovery policy is enforced on the devices
The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled.
The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**][ENT-4] from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled.
**Sample User state Output for Destructive PIN Reset**
@ -233,12 +233,18 @@ For Microsoft Entra hybrid joined devices:
> [!NOTE]
> Key trust on Microsoft Entra hybrid joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Microsoft Entra self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Microsoft Entra self-service password reset at the Windows sign-in screen][ENT-1].
<!--links-->
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
[INT-1]: /mem/intune/configuration/settings-catalog
[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent
[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
[ENT-1]: /entra/identity/authentication/howto-sspr-windows#general-limitations
[ENT-2]: /entra/identity/role-based-access-control/permissions-reference#application-administrator
[ENT-3]: /entra/fundamentals/how-to-find-tenant
[ENT-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[ENTRA]: https://entra.microsoft.com
[INT-1]: /mem/intune/configuration/settings-catalog
[INTUNE]: https://go.microsoft.com/fwlink/?linkid=2109431

25
windows/security/identity-protection/hello-for-business/webauthn-apis.md
View File

@ -14,7 +14,7 @@ Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
## What does this mean?
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys][ENT-1] to implement passwordless multi-factor authentication for their applications on Windows devices.
Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.
@ -69,7 +69,7 @@ FIDO2 authenticators have already been implemented and WebAuthn relying parties
- Keys for multiple accounts (keys can be stored per relying party)
- Client PIN
- Location (the authenticator returns a location)
- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios)
- [Hash-based Message Authentication Code (HMAC)-secret][NET-1] (enables offline scenarios)
The following options might be useful in the future, but haven't been observed in the wild yet:
@ -100,15 +100,26 @@ Here's an approximate layout of where the Microsoft bits go:
- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
> [!NOTE]
> For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication).
> For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation][EDGE-1].
- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs.
- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products][EXT-1]. The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
## Developer references
The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
The WebAuthn APIs are documented in the [Microsoft/webauthn][EXT-2] GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec.
- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This document is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.
- [Web Authentication: An API for accessing Public Key Credentials][EXT-3] (available on the W3C site). This document is known as the WebAuthn spec.
- [Client to Authenticator Protocol (CTAP)][EXT-4]. This document is available at the [FIDO Alliance][EXT-5] site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.
<!--links-->
[ENT-1]: /entra/identity/authentication/how-to-enable-passkey-fido2
[NET-1]: /dotnet/api/system.security.cryptography.hmac
[EDGE-1]: /microsoft-edge/dev-guide/windows-integration/web-authentication
[EXT-1]: https://fidoalliance.org/certification/fido-certified-products/
[EXT-2]: https://github.com/Microsoft/webauthn
[EXT-3]: https://www.w3.org/TR/webauthn/
[EXT-4]: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html
[EXT-5]: http://fidoalliance.org