From 8d76dd57b6c99d3cd40d9c7cffdbf5a899af68e7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 7 Sep 2023 08:10:49 -0400 Subject: [PATCH] updates --- .../hello-for-business/passwordless.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless.md b/windows/security/identity-protection/hello-for-business/passwordless.md index 355b0c568f..36d79348da 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless.md +++ b/windows/security/identity-protection/hello-for-business/passwordless.md @@ -1,6 +1,6 @@ --- title: Windows Hello for Business passwordless -description: Learn how Passwordless experience enables your organization to move away from passwords. +description: Learn how Windows Hello for Business passwordless enables your organization to move away from passwords. ms.collection: - highpri - tier1 @@ -34,7 +34,7 @@ This article explains how to enable Windows Hello for Business passwordless and ## System requirements -Windows Hello for Business passwordless experience has the following requirements: +Windows Hello for Business passwordless has the following requirements: - Windows 11, version 22H2 with [KB5030310][KB-1] or later - Microsoft Entra ID joined @@ -44,15 +44,15 @@ Windows Hello for Business passwordless experience has the following requirement >[!NOTE] >Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope. -## Enable Windows Hello for Business passwordless experience with Intune +## Enable Windows Hello for Business passwordless with Intune -[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] | Category | Setting name | Value | |--|--|--| | **Authentication** | Enable Passwordless Experience | Enabled | -[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] Alternatively, you can configure devices using a [custom policy][INT-2] with the [Policy CSP][CSP-1]. @@ -66,24 +66,24 @@ Alternatively, you can configure devices using a [custom policy][INT-2] with the :::row::: :::column span="3"::: - **Passwordless experience turned off**: users can sign in using a password, as indicated by the presence of the password credential provider :::image type="icon" source="images/passwordless-experience/key-credential-provider.svg" border="false"::: in the Windows lock screen. + **Passwordless experience turned off**: users can sign in using a password, as indicated by the presence of the password credential provider :::image type="icon" source="images/passwordless/key-credential-provider.svg" border="false"::: in the Windows lock screen. :::column-end::: :::column span="1"::: - :::image type="content" source="images/passwordless-experience/lock-screen-off.png" lightbox="images/passwordless-experience/lock-screen-off.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers."::: + :::image type="content" source="images/passwordless/lock-screen-off.png" lightbox="images/passwordless/lock-screen-off.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers."::: :::column-end::: :::row-end::: :::row::: :::column span="3"::: - **Passwordless experience turned on**: the password credential provider :::image type="icon" source="images/passwordless-experience/key-credential-provider.svg" border="false"::: is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the *Other user* option to sign in with a password. + **Passwordless experience turned on**: the password credential provider :::image type="icon" source="images/passwordless/key-credential-provider.svg" border="false"::: is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the *Other user* option to sign in with a password. :::column-end::: :::column span="1"::: - :::image type="content" source="images/passwordless-experience/lock-screen-on.png" lightbox="images/passwordless-experience/lock-screen-on.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint and PIN credential providers only. The password credential provider is missing."::: + :::image type="content" source="images/passwordless/lock-screen-on.png" lightbox="images/passwordless/lock-screen-on.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint and PIN credential providers only. The password credential provider is missing."::: :::column-end::: :::row-end::: ### In-session authentication experiences -When Windows Hello for Business passwordless experience is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include: +When Windows Hello for Business passwordless is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include: - Password Manager in a web browser - Connecting to file shares or intranet sites @@ -92,7 +92,7 @@ When Windows Hello for Business passwordless experience is enabled, users can't >[!NOTE] > RDP sign in defaults to the strong credential used during sign-in. However, a suers can select the option *Use a different account* to sign in with a password. > -> *Run as different user* is not impacted by Windows Hello for Business passwordless experience. +> *Run as different user* is not impacted by Windows Hello for Business passwordless. Example of UAC elevation experience: @@ -101,7 +101,7 @@ Example of UAC elevation experience: **Passwordless experience turned off**: UAC elevation allows the user to authenticate using a password. :::column-end::: :::column span="1"::: - :::image type="content" source="images/passwordless-experience/uac-off.png" lightbox="images/passwordless-experience/uac-off.png" alt-text="Screenshot of the UAC prompt showing username and password fields."::: + :::image type="content" source="images/passwordless/uac-off.png" lightbox="images/passwordless/uac-off.png" alt-text="Screenshot of the UAC prompt showing username and password fields."::: :::column-end::: :::row-end::: :::row::: @@ -109,24 +109,24 @@ Example of UAC elevation experience: **Passwordless experience turned on**: UAC elevation doesn't allow the user to use the password credential provider for the currently logged on user. The user can authenticate using a strong credential or a local user account, if available. :::column-end::: :::column span="1"::: - :::image type="content" source="images/passwordless-experience/uac-on.png" lightbox="images/passwordless-experience/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only."::: + :::image type="content" source="images/passwordless/uac-on.png" lightbox="images/passwordless/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only."::: :::column-end::: :::row-end::: ## Recommendations -Here's a list of recommendations to consider before enabling Windows Hello for Business passwordless experience: +Here's a list of recommendations to consider before enabling Windows Hello for Business passwordless: -- If Windows Hello for Business is enabled, configure the [PIN reset](hello-for-business/hello-feature-pin-reset.md) feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with [KB5030310][KB-1] -- Don't configure the security policy *Interactive logon: Don't display last signed-in*, as it prevents Windows Hello for Business passwordless experience from working +- If Windows Hello for Business is enabled, configure the [PIN reset](hello-feature-pin-reset.md) feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with [KB5030310][KB-1] +- Don't configure the security policy *Interactive logon: Don't display last signed-in*, as it prevents Windows Hello for Business passwordless from working - Don't disable the password credential provider using the *Exclude credential providers* policy. The key differences between the two policies are: - - The *Exclude credential providers* policy disables passwords for *all accounts*, including local accounts. Windows Hello for Business passwordless experience only applies to Microsoft Entra ID accounts that sign in with strong credentials. It also excludes *Other User* from the policy, so users have a backup sign in option - - RDP and in-session authentication scenarios aren't supported with the Exclude credential providers policy. Windows Hello for Business passwordless experience hides passwords from in-session auth scenarios like Password Manager in a web browser, UAC prompts, etc. + - The *Exclude credential providers* policy disables passwords for *all accounts*, including local accounts. Windows Hello for Business passwordless only applies to Microsoft Entra ID accounts that sign in with strong credentials. It also excludes *Other User* from the policy, so users have a backup sign in option + - RDP and in-session authentication scenarios aren't supported with the Exclude credential providers policy. Windows Hello for Business passwordless hides passwords from in-session auth scenarios like Password Manager in a web browser, UAC prompts, etc. - To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the [Windows Local Administrator Password Solution (LAPS)][SERV-1] ## Provide feedback -To provide feedback for Windows Hello for Business passwordless experience, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**. +To provide feedback for Windows Hello for Business passwordless, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.