Merge pull request #10790 from paolomatarazzo/pm-20250421-whfb

Notes about VBS starting on 24H2
2025-05-12 13:27:23 +00:00 · 2025-04-21 22:08:21 +05:30 · 2025-04-21 22:08:21 +05:30 · 8c6481b3cf
commit 8c6481b3cf
parent 42aedcfd34 a9ec7171e5
2 changed files with 6 additions and 0 deletions
--- a/windows/security/identity-protection/hello-for-business/includes/expiration.md
+++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md
@ -15,3 +15,6 @@ The default value is 0.
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration)<br><br>`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityexpiration) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**|
+
+> [!NOTE]
+> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN expiration is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment.
--- a/windows/security/identity-protection/hello-for-business/includes/history.md
+++ b/windows/security/identity-protection/hello-for-business/includes/history.md
@ -18,3 +18,6 @@ The default value is 0.
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory)<br><br>`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityhistory) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
+
+> [!NOTE]
+> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN history is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment.