deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into nimishasatapathy-5400951-part4

Browse Source
This commit is contained in:
Diana Hanson 2021-09-22 09:19:29 -06:00 committed by GitHub
commit 914c268a62
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
540 changed files with 3380 additions and 2884 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/application-management/app-v/appv-evaluating-appv.md
View File

@ -18,6 +18,9 @@ ms.author: greglin
**Applies to**
- Windows 10, version 1607
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)]
Before you deploy App-V into a production environment, you should evaluate it in a lab environment. You can use the information in this topic to set up App-V in a lab environment for evaluation purposes only.
## Configure lab computers for App-V Evaluation

3
windows/application-management/app-v/appv-for-windows.md
View File

@ -16,6 +16,9 @@ ms.topic: article
>Applies to: Windows 10, version 1607
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)]
The topics in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users.
[Getting started with App-V](appv-getting-started.md)

3
windows/application-management/app-v/appv-getting-started.md
View File

@ -16,6 +16,9 @@ ms.topic: article
>Applies to: Windows 10, version 1607
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)]
Microsoft Application Virtualization (App-V) for Windows 10 delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally.
With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, youll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md).

3
windows/application-management/app-v/appv-planning-for-appv.md
View File

@ -16,6 +16,9 @@ ms.topic: article
>Applies to: Windows 10, version 1607
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)]
Use the following information to plan to deploy App-V without disrupting your existing network or user experience.
## Planning information

2
windows/application-management/apps-in-windows-10.md
View File

@ -134,7 +134,7 @@ When your apps are ready, you can add or deploy these apps to your Windows devic
- **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps.
> [!NOTE]
> Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at **Azure Virtual desktop with MSIX app attach**. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal).
> [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)]
On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally.

12
windows/application-management/includes/app-v-end-life-statement.md Normal file
View File

@ -0,0 +1,12 @@
---
author: MandiOhlinger
ms.author: mandia
ms.date: 09/20/2021
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: w10
ms.topic: include
---
Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at Azure Virtual Desktop with MSIX app attach. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal).

8
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -284,7 +284,7 @@ ms.date: 10/08/2020
- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)
- ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption)
- [ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption)
- [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption)
- [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled)
- [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings)
@ -299,6 +299,9 @@ ms.date: 10/08/2020
- [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2)
- [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1)
- [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2)
- [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane)
- [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane)
- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy)
- [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin)
- [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1)
- [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2)
@ -400,6 +403,7 @@ ms.date: 10/08/2020
- [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2)
- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1)
- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2)
- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall)
- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor)
- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch)
- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness)
@ -421,8 +425,10 @@ ms.date: 10/08/2020
- [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder)
- [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles)
- [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares)
- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy)
- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio)
- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr)
- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1)
- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin)
- [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon)
- [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1)

55
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1218,6 +1218,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_FramePanes policies
<dl>
<dd>
<a href="./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane" id="admx-framepanes-noreadingpane">ADMX_FramePanes/NoReadingPane</a>
</dd>
<dd>
<a href="./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane" id="admx-framepanes-nopreviewpane">ADMX_FramePanes/NoPreviewPane</a>
</dd>
<dl>
### ADMX_FTHSVC policies
<dl>
<dd>
<a href="./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy" id="admx-fthsvc-wdiscenarioexecutionpolicy">ADMX_FTHSVC/WdiScenarioExecutionPolicy</a>
</dd>
<dl>
### ADMX_Help policies
<dl>
<dd>
@ -1234,6 +1251,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_HotSpotAuth policies
<dl>
<dd>
<a href="./policy-csp-admx-hotspotauth.md#admx-hotspotauth-hotspotauth_enable" id="admx-hotspotauth-hotspotauth_enable">ADMX_HotSpotAuth/HotspotAuth_Enable</a>
</dd>
</dl>
### ADMX_Globalization policies
<dl>
@ -1545,6 +1569,15 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_IIS policies
<dl>
<dd>
<a href="./policy-csp-admx-iis.md#admx-iis-preventiisinstall
" id="admx-iis-preventiisinstall
">ADMX_IIS/PreventIISInstall</a>
</dd>
<dl>
### ADMX_kdc policies
<dl>
<dd>
@ -1626,6 +1659,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_LeakDiagnostic policies
<dl>
<dd>
<a href="./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy" id="admx-leakdiagnostic-wdiscenarioexecutionpolicy">ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy</a>
</dd>
<dl>
### ADMX_LinkLayerTopologyDiscovery policies
<dl>
<dd>
@ -1636,6 +1676,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_LocationProviderAdm policies
<dl>
<dd>
<a href="./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1" id="admx-locationprovideradm-disablewindowslocationprovider_1">ADMX_LocationProviderAdm/BlockUserFromShowingAccountDetailsOnSignin</a>
</dd>
<dl>
### ADMX_Logon policies
<dl>
@ -6079,6 +6127,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### Feeds policies
<dl>
<dd>
<a href="./policy-csp-feeds.md#feeds-feedsenabled" id="feeds-feedsenabled">Feeds/FeedsEnabled</a>
</dd>
</dl>
### FileExplorer policies
<dl>

193
windows/client-management/mdm/policy-csp-admx-framepanes.md Normal file
View File

@ -0,0 +1,193 @@
---
title: Policy CSP - ADMX_FramePanes
description: Policy CSP - ADMX_FramePanes
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_FramePanes
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_FramePanes policies
<dl>
<dd>
<a href="#admx-framepanes-noreadingpane">ADMX_FramePanes/NoReadingPane</a>
</dd>
<dd>
<a href="#admx-framepanes-nopreviewpane">ADMX_FramePanes/NoPreviewPane</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-framepanes-noreadingpane"></a>**ADMX_FramePanes/NoReadingPane**
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting shows or hides the Details Pane in File Explorer.
- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user.
- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user.
> [!NOTE]
> This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time.
- If you disable, or do not configure this policy setting, the Details Pane is hidden by default and can be displayed by the user.
This is the default policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn on or off details pane*
- GP name: *NoReadingPane*
- GP path: *Windows Components\File Explorer\Explorer Frame Pane*
- GP ADMX file name: *FramePanes.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-framepanes-nopreviewpane"></a>**ADMX_FramePanes/NoPreviewPane**
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Hides the Preview Pane in File Explorer.
- If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user.
- If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off Preview Pane*
- GP name: *NoPreviewPane*
- GP path: *Windows Components\File Explorer\Explorer Frame Pane*
- GP ADMX file name: *FramePanes.admx*
<!--/ADMXBacked-->
<!--/Policy-->
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

116
windows/client-management/mdm/policy-csp-admx-fthsvc.md Normal file
View File

@ -0,0 +1,116 @@
---
title: Policy CSP - ADMX_FTHSVC
description: Policy CSP - ADMX_FTHSVC
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/15/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_FTHSVC
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_FTHSVC policies
<dl>
<dd>
<a href="#admx-fthsvc-wdiscenarioexecutionpolicy">ADMX_FTHSVC/WdiScenarioExecutionPolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-fthsvc-wdiscenarioexecutionpolicy"></a>**ADMX_FTHSVC/WdiScenarioExecutionPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems.
- If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems.
- If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS.
If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
No system restart or service restart is required for this policy setting to take effect: changes take effect immediately.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Scenario Execution Level*
- GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Fault Tolerant Heap*
- GP ADMX file name: *FTHSVC.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

115
windows/client-management/mdm/policy-csp-admx-hotspotauth.md Normal file
View File

@ -0,0 +1,115 @@
---
title: Policy CSP - ADMX_HotSpotAuth
description: Policy CSP - ADMX_HotSpotAuth
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/15/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_HotSpotAuth
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_HotSpotAuth policies
<dl>
<dd>
<a href="#admx-hotspotauth-hotspotauth_enable">ADMX_HotSpotAuth/HotspotAuth_Enable</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-hotspotauth-hotspotauth_enable"></a>**ADMX_HotSpotAuth/HotspotAuth_Enable**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support.
- If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network.
- If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators.
- If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support.
- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Hotspot Authentication*
- GP name: *HotspotAuth_Enable*
- GP path: *Network\Hotspot Authentication*
- GP ADMX file name: *HotSpotAuth.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

113
windows/client-management/mdm/policy-csp-admx-iis.md Normal file
View File

@ -0,0 +1,113 @@
---
title: Policy CSP - ADMX_IIS
description: Policy CSP - ADMX_IIS
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/17/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_IIS
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_IIS policies
<dl>
<dd>
<a href="#admx-iis-preventiisinstall">ADMX_IIS/PreventIISInstall</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-iis-preventiisinstall"></a>**ADMX_IIS/PreventIISInstall**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting prevents installation of Internet Information Services (IIS) on this computer.
- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting.
Enabling this setting will not have any effect on IIS if IIS is already installed on the computer.
- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run."
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Prevent IIS installation*
- GP name: *PreventIISInstall*
- GP path: *Windows Components\Internet Information Services*
- GP ADMX file name: *IIS.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

123
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md Normal file
View File

@ -0,0 +1,123 @@
---
title: Policy CSP - ADMX_LeakDiagnostic
description: Policy CSP - ADMX_LeakDiagnostic
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/17/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_LeakDiagnostic
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_LeakDiagnostic policies
<dl>
<dd>
<a href="#admx-leakdiagnostic-wdiscenarioexecutionpolicy">ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-leakdiagnostic-wdiscenarioexecutionpolicy"></a>**ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
> [!NOTE]
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure custom alert text*
- GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
- GP ADMX file name: *LeakDiagnostic.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policies-->
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

112
windows/client-management/mdm/policy-csp-admx-locationprovideradm.md Normal file
View File

@ -0,0 +1,112 @@
---
title: Policy CSP - ADMX_LocationProviderAdm
description: Policy CSP - ADMX_LocationProviderAdm
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/20/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_LocationProviderAdm
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_LocationProviderAdm policies
<dl>
<dd>
<a href="#admx-locationprovideradm-disablewindowslocationprovider_1">ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-locationprovideradm-disablewindowslocationprovider_1"></a>**ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting turns off the Windows Location Provider feature for this computer.
- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature.
- If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off Windows Location Provider*
- GP name: *DisableWindowsLocationProvider_1*
- GP path: *Windows Components\Location and Sensors\Windows Location Provider*
- GP ADMX file name: *LocationProviderAdm.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

484
windows/client-management/mdm/policy-csp-experience.md
View File

@ -37,9 +37,6 @@ manager: dansimp
<dd>
<a href="#experience-allowmanualmdmunenrollment">Experience/AllowManualMDMUnenrollment</a>
</dd>
<dd>
<a href="#experience-allownewsandinterestsonthetaskbar">Experience/AllowNewsAndInterestsOnTheTaskbar</a>
</dd>
<dd>
<a href="#experience-allowsaveasofofficefiles">Experience/AllowSaveAsOfOfficeFiles</a>
</dd>
@ -105,28 +102,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -184,28 +187,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -252,28 +261,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -314,28 +329,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -384,28 +405,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -442,65 +469,6 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allownewsandinterestsonthetaskbar"></a>**Experience/AllowNewsAndInterestsOnTheTaskbar**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
Specifies whether to allow "News and interests" on the Taskbar.
<!--/Description-->
<!--SupportedValues-->
The values for this policy are 1 and 0. This policy defaults to 1.
- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode.
- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="experience-allowsaveasofofficefiles"></a><b>Experience/AllowSaveAsOfOfficeFiles</b>
@ -531,28 +499,34 @@ This policy is deprecated.
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -589,28 +563,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -665,28 +645,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -735,28 +721,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -808,28 +800,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -880,28 +878,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -951,28 +955,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1021,28 +1031,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1093,28 +1109,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1159,28 +1181,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>No</td>
<td>Yes</td>
</tr>
</table>
@ -1217,28 +1245,34 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1286,28 +1320,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1356,28 +1396,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1426,28 +1472,34 @@ The following list shows the supported values:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1512,36 +1564,40 @@ _**Turn syncing off by default but dont disable**_
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="experience-preventusersfromturningonbrowsersyncing"></a>**Experience/PreventUsersFromTurningOnBrowserSyncing**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1615,28 +1671,34 @@ Validation procedure:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>

103
windows/client-management/mdm/policy-csp-feeds.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Policy CSP - Feeds
description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device.
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.localizationpriority: medium
ms.date: 09/17/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - Feeds
<hr/>
<!--Policies-->
## Feeds policies
<dl>
<dd>
<a href="#feeds-feedsenabled">Feeds/FeedsEnabled</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="feeds-feedsenabled"></a>**Feeds/FeedsEnabled**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>No</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting specifies whether news and interests is allowed on the device.
The values for this policy are 1 and 0. This policy defaults to 1.
- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode.
- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable news and interests on the taskbar*
- GP name: *FeedsEnabled*
- GP path: *Windows Components\News and interests*
- GP ADMX file name: *Feeds.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<!--/Policies-->

1125
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

File diff suppressed because it is too large Load Diff

12
windows/client-management/mdm/toc.yml
View File

@ -491,6 +491,10 @@ items:
href: policy-csp-admx-filesys.md
- name: ADMX_FolderRedirection
href: policy-csp-admx-folderredirection.md
- name: ADMX_FramePanes
href: policy-csp-admx-framepanes.md
- name: ADMX_FTHSVC
href: policy-csp-admx-fthsvc.md
- name: ADMX_Globalization
href: policy-csp-admx-globalization.md
- name: ADMX_GroupPolicy
@ -501,6 +505,8 @@ items:
href: policy-csp-admx-helpandsupport.md
- name: ADMX_ICM
href: policy-csp-admx-icm.md
- name: ADMX_IIS
href: policy-csp-admx-iis.md
- name: ADMX_kdc
href: policy-csp-admx-kdc.md
- name: ADMX_Kerberos
@ -509,8 +515,12 @@ items:
href: policy-csp-admx-lanmanserver.md
- name: ADMX_LanmanWorkstation
href: policy-csp-admx-lanmanworkstation.md
- name: ADMX_LeakDiagnostic
href: policy-csp-admx-leakdiagnostic.md
- name: ADMX_LinkLayerTopologyDiscovery
href: policy-csp-admx-linklayertopologydiscovery.md
- name: ADMX_LocationProviderAdm
href: policy-csp-admx-locationprovideradm.md
- name: ADMX_Logon
href: policy-csp-admx-logon.md
- name: ADMX_MicrosoftDefenderAntivirus
@ -709,6 +719,8 @@ items:
href: policy-csp-experience.md
- name: ExploitGuard
href: policy-csp-exploitguard.md
- name: Feeds
href: policy-csp-feeds.md
- name: FileExplorer
href: policy-csp-fileexplorer.md
- name: Games

4
windows/client-management/mdm/vpnv2-csp.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 10/30/2020
ms.date: 09/21/2021
---
# VPNv2 CSP
@ -591,7 +591,7 @@ Valid values:
- True = Register the connection's addresses in DNS.
<a href="" id="vpnv2-profilename-dnssuffix"></a>**VPNv2/**<em>ProfileName</em>**/DnsSuffix**
Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.

49
windows/configuration/customize-start-menu-layout-windows-11.md
View File

@ -1,6 +1,6 @@
---
title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs
description: Export Start layout to LayoutModification.json with pinned apps, add or remove pinned apps, and use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
ms.assetid:
manager: dougeby
ms.author: mandia
@ -10,7 +10,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
ms.date: 09/14/2021
ms.localizationpriority: medium
---
@ -28,7 +27,7 @@ For example, you can override the default set of apps with your own a set of pin
To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Intune MDM policy.
This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Endpoint Manager policy.
## Before you begin
@ -52,12 +51,29 @@ Start has the following areas:
- **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default.
This article shows you how to use the **ConfigureStartPins** policy.
This article shows you [how to use the **ConfigureStartPins** policy](#get-the-pinnedlist-json).
- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. You can use the `Start/ShowOrHideMostUsedApps` CSP, which is a policy to configure the "Most used" section at the top of the all apps list.
- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file. To prevent files from showing in this section, you can use the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists). This CSP also hides recent files that show from the taskbar.
- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file.
You can use an MDM provider, like Microsoft Intune, to manage the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) on your devices. For more information on the Start menu settings you can configure in a Microsoft Intune policy, see [Windows 10 (and later) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
The [Start/HideFrequentlyUsedApps CSP](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) exposes settings that configure the "Most used" section, which is at the top of the all apps list.
In **Endpoint Manager**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
- `User Configuration\Administrative Templates\Start Menu and Taskbar`
- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file.
The [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) exposes settings that prevent files from showing in this section. This CSP also hides recent files that show from the taskbar.
In **Endpoint Manager**, you can configure this feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
- `User Configuration\Administrative Templates\Start Menu and Taskbar`
## Create the JSON file
@ -111,13 +127,13 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi
Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization.
MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list.
MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list.
This section shows you how to create a pinned list policy in Microsoft Intune. There isn't a Group Policy to create a pinned list.
This section shows you how to create a pinned list policy in Endpoint Manager. There isn't a Group Policy to create a pinned list.
### Create a pinned list using a Microsoft Intune policy
### Create a pinned list using an Endpoint Manager policy
To deploy this policy in Microsoft Intune, the devices must be enrolled in Microsoft Intune, and managed by your organization. For more information, see [What is device enrollment in Intune?](/mem/intune/enrollment/device-enrollment).
To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment).
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
@ -157,13 +173,12 @@ To deploy this policy in Microsoft Intune, the devices must be enrolled in Micro
:::image type="content" source="./images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList":::
8. Select **Save** > **Next** to save your changes.
9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure).
The Windows OS has many CSPs that apply to the Start menu. Using an MDM provider, like Intune, you can use these CSPs to customize Start even more. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md).
The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md).
### Deploy the policy using Microsoft Intune
### Deploy the policy using Endpoint Manager
When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed before users sign in the first time.
For more information on assigning policies using Microsoft Intune, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed anytime, including before users sign in the first time.
For more information and guidance on assigning policies to devices in your organization, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).

37
windows/deployment/update/deployment-service-overview.md
View File

@ -16,7 +16,10 @@ ms.topic: article
# Windows Update for Business deployment service
> Applies to: Windows 10
**Applies to**
- Windows 10
- Windows 11
The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies.
@ -56,18 +59,18 @@ The deployment service exposes these capabilities through Microsoft [Graph REST
To work with the deployment service, devices must meet all these requirements:
- Be running Windows 10, version 1709 or later
- Be running Windows 10, version 1709 or later (or Windows 11)
- Be joined to Azure Active Directory (AD) or Hybrid AD
- Have one of the following Windows 10 editions installed:
- Windows 10 Pro
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro Education
- Windows 10 Pro for Workstations
- Have one of the following Windows 10 or Windows 11 editions installed:
- Pro
- Enterprise
- Education
- Pro Education
- Pro for Workstations
Additionally, your organization must have one of the following subscriptions:
- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
@ -78,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform,
### Using Microsoft Endpoint Manager
Microsoft Endpoint Manager integrates with the deployment service to provide Windows 10 update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates).
Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates).
### Scripting common actions using PowerShell
@ -141,18 +144,27 @@ To enroll devices in Windows Update for Business cloud processing, set the **All
Following is an example of setting the policy using Microsoft Endpoint Manager:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**.
4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**.
5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**.
- Name: **AllowWUfBCloudProcessing**
- Description: Enter a description.
- OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
- Data type: **Integer**
- Value: **8**
6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
7. In **Review + create**, review your settings, and then select **Create**.
8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.
8. (Optional) To verify that the policy reached the client, check the value of the following registry entry:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**
## Best practices
Follow these suggestions for the best results with the service.
@ -160,6 +172,7 @@ Follow these suggestions for the best results with the service.
### Device onboarding
- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
### General

9
windows/deployment/update/safeguard-holds.md
View File

@ -12,9 +12,14 @@ ms.topic: article
# Safeguard holds
Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
**Applies to**
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
- Windows 10
- Windows 11
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.

216
windows/deployment/update/windows-update-errors.md
View File

@ -7,9 +7,9 @@ audience: itpro
itproauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.reviewer:
ms.reviewer: kaushika
manager: laurawi
ms.topic: article
ms.topic: troubleshooting
ms.custom: seo-marvel-apr2020
---
@ -22,22 +22,198 @@ ms.custom: seo-marvel-apr2020
The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them.
## 0x8024402F
| Error Code | Message | Description | Mitigation |
|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering. <br>Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed |
| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again: <br>Rename the following folders to \*.BAK: <br>- %systemroot%\system32\catroot2 <br><br>Type the following commands at a command prompt. Press ENTER after you type each command.<br>- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak<br>- Ren %systemroot%\SoftwareDistribution\Download \*.bak<br>Ren %systemroot%\system32\catroot2 \*.bak |
| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. |
| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.<br><br>If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). |
| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked: <br> http://<em>.update.microsoft.com<br>https://</em>.update.microsoft.com <br><http://download.windowsupdate.com> <br><br>You can also take a network trace to check what is timing out. \<Refer to Firewall Troubleshooting scenario> |
| 0x80072EFD <br>0x80072EFE<br>0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs. <br>Take a network monitor trace to understand better. \<Refer to Firewall Troubleshooting scenario> |
| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. |
| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. |
| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. |
| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. |
| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). |
| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. |
| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. |
| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.<br><br>Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. |
| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update. <br><br>Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. |
| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.<br> |
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External .cab file processing completed with some errors | This can be caused by the Lightspeed Rocket for web filtering software. <br>Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed Rocket. |
## 0x80242006
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename the software redistribution folder and try to download the updates again: <br>Rename the following folders to \*.BAK: <br>- %systemroot%\system32\catroot2 <br><br>Type the following commands at a command prompt. Press ENTER after you type each command.<br>- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak<br>- Ren %systemroot%\SoftwareDistribution\Download \*.bak<br>- Ren %systemroot%\system32\catroot2 \*.bak |
## 0x80070BC9
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. Restart the system to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. |
## 0x80200053
| Message | Description | Mitigation |
|---------|-------------|------------|
| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.<br><br>If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).|
## 0x80072EFD or 0x80072EFEor 0x80D02002
| Message | Description | Mitigation |
|---------|-------------|------------|
| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxies that block Microsoft download URLs. <br>Take a network monitor trace to understand better. \<Refer to Firewall Troubleshooting scenario> |
## 0X8007000D
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_INVALID_DATA | Indicates data that isn't valid was downloaded or corruption occurred.| Attempt to re-download the update and start installation. |
## 0x8024A10A
| Message | Description | Mitigation |
|---------|-------------|------------|
| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity. The system fails to respond, leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the installation. |
## 0x80240020
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_NO_INTERACTIVE_USER | Operation did not complete because no interactive user is signed in. | Sign in to the device to start the installation and allow the device to restart. |
## 0x80242014
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows updates require the device to be restarted. Restart the device to complete update installation. |
## 0x80246017
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).|
## 0x8024000B
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. |
## 0x8024000E
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_XML_INVALID | Windows Update Agent found information in the update's XML data that isn't valid. | Certain drivers contain additional metadata information in Update.xml, which Orchestrator can interpret as data that isn't valid. Ensure that you have the latest Windows Update Agent installed on the device. |
## 0x8024D009
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.<br><br>Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. |
## 0x80244007
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows can't renew the cookies for Windows Update. <br><br>Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. |
## 0x80070422
| Message | Description | Mitigation |
|---------|-------------|------------|
| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running.<br> |
## 0x800f0821
| Message | Description | Mitigation |
|---------|-------------|------------|
| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the has installed the update in KB4493473 or later.|
## 0x800f0825
| Message | Description | Mitigation |
|---------|-------------|------------|
| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x800F0920
| Message | Description | Mitigation |
|---------|-------------|------------|
| CBS_E_HANG_DETECTED; A failure to respond was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has stopped responding. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the device has installed the update in KB4493473 or later.|
## 0x800f081f
| Message | Description | Mitigation |
|---------|-------------|------------|
| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x800f0831
| Message | Description | Mitigation |
|---------|-------------|------------|
| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x80070005
| Message | Description | Mitigation |
|---------|-------------|------------|
| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.<br> Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be acess denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. |
## 0x80070570
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device.|
## 0x80070003
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for “, error” and match with the timestamp. |
## 0x80070020
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus. <br> 1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/) <br> 2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon). <br> 3. Run Procmon.exe. It will start data capture automatically. <br> 4. Install the update package again <br> 5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture. <br> 6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file <br> 7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error <br> 8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”). <br> 9. Try to stop it or uninstall the process causing the error. |
## 0x80073701
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically, a component store corruption caused when a component is in a partially installed state. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x8007371b
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x80072EFE
| Message | Description | Mitigation |
|---------|-------------|------------|
| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.<br> From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE* <br> Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure youre using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. |
## 0x80072F8F
| Message | Description | Mitigation |
|---------|-------------|------------|
| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/help/3140245/).
## 0x80072EE2
| Message | Description | Mitigation |
|---------|-------------|------------|
| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If youre using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> https://*.windowsupdate.microsoft.com <br> https://*.windowsupdate.microsoft.com <br> https://*.update.microsoft.com <br> https://*.update.microsoft.com <br> https://*.windowsupdate.com <br> https://download.windowsupdate.com <br> https://download.microsoft.com <br> https://*.download.windowsupdate.com <br> https://wustat.windows.com <br> https://ntservicepack.microsoft.com |
## 0x80240022
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is that antivirus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. |
## 0x8024401B
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own update source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager, due to a proxy error. <br> Verify the proxy settings on the client. The Windows Update Agent uses WinHTTP to scan for available updates. When there is a proxy server between the client and the update source, the proxy settings must be configured correctly on the clients to enable them to communicate by using the source's FQDN. <br> Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. |
## 0x80244022
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. |

11
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -1,5 +1,5 @@
---
title: Active Directory Security Groups (Windows 10)
title: Active Directory Security Groups
description: Active Directory Security Groups
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,14 +12,15 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/21/2021
ms.reviewer:
---
# Active Directory Security Groups
**Applies to**
- Windows Server 2016
- Windows Server 2016 or later
- Windows 10 or later
This reference topic for the IT professional describes the default Active Directory security groups.
@ -1489,7 +1490,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;domain&gt;-512</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-512</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -1885,7 +1886,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-498</p></td>
<td><p>S-1-5-21-&lt;root domain&gt;-498</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>

18
windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
View File

@ -15,31 +15,31 @@ localizationpriority: medium
ms.date: 02/15/2019
ms.reviewer:
---
# WebAuthn APIs for password-less authentication on Windows 10
# WebAuthn APIs for password-less authentication on Windows
### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can leverage password-less authentication.
### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can use password-less authentication.
Microsoft has long been a proponent to do away with passwords.
While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs!
These APIs allow Microsoft developer partners and the developer community to leverage Windows Hello and FIDO2 security keys
as a password-less authentication mechanism for their applications on Windows 10 devices.
These APIs allow Microsoft developer partners and the developer community to use Windows Hello and FIDO2 security keys
as a password-less authentication mechanism for their applications on Windows devices.
#### What does this mean?
This opens opportunities for developers or relying parties (RPs) to enable password-less authentication.
They can now leverage [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md)
This opens opportunities for developers or relying parties (RPs') to enable password-less authentication.
They can now use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md)
as a password-less multi-factor credential for authentication.
<br>
Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication
and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs site!
and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site!
<br> <br>
The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later
and latest versions of other browsers.
<br> <br>
Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users.
Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC and BLE
Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE
without having to deal with the interaction and management overhead.
This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO related messaging.
This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging.
#### Where can developers learn more?
The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)

23
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -1,6 +1,6 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
ms.mktglfcycl: deploy
@ -19,17 +19,19 @@ ms.reviewer:
# Multi-factor Unlock
**Applies to:**
- Windows 10
- Windows 11
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer
* Windows 10, version 1709 or newer, or Windows 11
* Bluetooth, Bluetooth capable phone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices.
Which organizations can take advantage of Multi-factor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
@ -92,13 +94,13 @@ You represent signal rules in XML. Each signal rule has an starting and ending
```
### Signal element
Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 or later supports the **ipConfig** and **bluetooth** type values.
|Attribute|Value|
|---------|-----|
| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)|
| type| "wifi" (Windows 10, version 1803)
| type| "bluetooth" or "ipConfig" (Windows 10, version 1709) or later|
| type| "wifi" (Windows 10, version 1803 or later)
#### Bluetooth
You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
@ -133,7 +135,7 @@ The **classofDevice** attribute defaults to Phone and uses the values from the f
|Health|2304|
|Uncategorized|7936|
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
@ -220,7 +222,7 @@ The fully qualified domain name of your organization's internal DNS suffix where
#### Wi-Fi
**Applies to:**
- Windows 10, version 1803
- Windows 10, version 1803 or later
You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements.
@ -322,7 +324,7 @@ This example configures the same as example 2 using compounding And elements. T
```
#### Example 4
This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
This example configures Wi-Fi as a trusted signal (Windows 10, version 1803 or later)
```xml
<rule schemaVersion="1.0">
@ -343,11 +345,10 @@ This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
### How to configure Multifactor Unlock policy settings
You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
You need at least a Windows 10, version 1709 or later workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1709 or later.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
### Create the Multifactor Unlock Group Policy object
The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.

4
windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
View File

@ -1,6 +1,6 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device.
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
keywords: identity, Hello, Active Directory, cloud,
ms.prod: w10
ms.mktglfcycl: deploy
@ -20,7 +20,7 @@ ms.reviewer:
## Introduction
When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.

4
windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
View File

@ -20,7 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 10, version 1703 or later, or Windows 11
- Windows Server, versions 2016 or later
- Hybrid or On-Premises deployment
- Key trust
@ -32,7 +32,7 @@ ms.reviewer:
How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged.
Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller.
Windows 10 or Windows 11 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller.
Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding a domain controller that supports public key mapping (in this case Windows Server 2016 or later) to a deployment of existing domain controllers which do not support public key mapping (Windows Server 2008R2, Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:

4
windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
View File

@ -1,5 +1,5 @@
---
title: Windows Hello and password changes (Windows 10)
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.reviewer:
@ -19,7 +19,9 @@ ms.date: 07/27/2017
# Windows Hello and password changes
**Applies to**
- Windows 10
- Windows 11
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.

4
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -1,5 +1,5 @@
---
title: Windows Hello biometrics in the enterprise (Windows 10)
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
ms.reviewer:
@ -21,7 +21,9 @@ ms.date: 01/12/2021
# Windows Hello biometrics in the enterprise
**Applies to:**
- Windows 10
- Windows 11
Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.

11
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -1,6 +1,6 @@
---
title: Prepare & Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,11 +16,12 @@ localizationpriority: medium
ms.date: 01/14/2021
ms.reviewer:
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
@ -123,7 +124,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
8. Click **Next** on the **Active Directory Federation Service** page.
9. Click **Install** to start the role installation.
## Review
## Review & validate
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
@ -265,7 +266,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th
3. In the details pane, click **Configure Device Registration**.
4. In the **Configure Device Registration** dialog, click **OK**.
## Review
## Review to validate
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm you followed the correct procedures based on the domain controllers used in your deployment.

12
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
View File

@ -16,15 +16,17 @@ localizationpriority: medium
ms.date: 08/20/2018
ms.reviewer:
---
# Configure Windows Hello for Business Policy settings
# Configure Windows Hello for Business Policy settings - Certificate Trust
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
* Enable Windows Hello for Business
@ -116,9 +118,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
### PIN Complexity
PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
* Require digits
* Require lowercase letters
* Maximum PIN length

5
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
View File

@ -16,14 +16,15 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Validate Active Directory prerequisites
# Validate Active Directory prerequisites for cert-trust deployment
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\<drive>:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.

7
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
View File

@ -16,19 +16,20 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Validate and Deploy Multi-factor Authentication (MFA)
# Validate and Deploy Multifactor Authentication (MFA)
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
Windows Hello for Business requires all users perform multifactor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
## Follow the Windows Hello for Business on premises certificate trust deployment guide
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)

6
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
View File

@ -16,10 +16,12 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Validate and Configure Public Key Infrastructure
# Validate and Configure Public Key Infrastructure - Certificate Trust Model
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
@ -94,7 +96,7 @@ The certificate template is configured to supersede all the certificate template
### Configure an Internal Web Server Certificate template
Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Windows 10 or Windows 11 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.

1
windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust

3
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
@ -41,7 +42,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
- Proper name resolution, both internal and external names
- Active Directory and an adequate number of domain controllers per site to support authentication
- Active Directory Certificate Services 2012 or later
- One or more workstation computers running Windows 10, version 1703
- One or more workstation computers running Windows 10, version 1703 or later
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.

5
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -27,14 +27,15 @@ Applies to:
- Azure AD joined deployments
- Windows 10, version 1803 and later
- Windows 11
PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the error message "We can't open that page right now".
### Identifying Azure AD joined PIN Reset Allowed Domains Issue
The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multi-factor authentication.
The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multifactor authentication.
In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
In federated environments authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allowlist. This results in "We can't open that page right now".

1
windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Key trust

1
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
**Applies To**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

4
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -1,5 +1,5 @@
---
title: Windows Hello errors during PIN creation (Windows 10)
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
ms.reviewer:
@ -21,7 +21,9 @@ ms.date: 05/05/2018
# Windows Hello errors during PIN creation
**Applies to**
- Windows 10
- Windows 11
When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.

8
windows/security/identity-protection/hello-for-business/hello-event-300.md
View File

@ -1,5 +1,5 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows 10)
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
ms.reviewer:
@ -21,19 +21,21 @@ ms.date: 07/27/2017
# Event ID 300 - Windows Hello successfully created
**Applies to**
- Windows 10
- Windows 11
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
## Event details
| **Product:** | Windows 10 operating system |
| **Product:** | Windows 10 or Windows 11 operating system |
|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Log:** | Event Viewer > Applications and Service Logs\Microsoft\Windows\User Device Registration\Admin |
| **ID:** | 300 |
| **Source:** | Microsoft Azure Device Registration Service |
| **Version:** | 10 |
| **Version:** | 10 or 11 |
| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.</br>Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
## Resolve

10
windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
View File

@ -23,7 +23,7 @@ ms.reviewer:
* Hybrid and On-premises Windows Hello for Business deployments
* Enterprise joined or Hybrid Azure joined devices
* Windows 10, version 1709
* Windows 10, version 1709 or later
* Certificate trust
> [!NOTE]
@ -34,12 +34,12 @@ ms.reviewer:
Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
By design, Windows does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
With this setting, administrative users can sign in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
> [!IMPORTANT]
> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
## Configure Windows Hello for Business Dual Enrollment
@ -69,7 +69,7 @@ where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and
### Configuring Dual Enrollment using Group Policy
You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
2. Edit the Group Policy object from step 1.

8
windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
View File

@ -1,6 +1,6 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: w10
ms.mktglfcycl: deploy
@ -21,9 +21,9 @@ ms.reviewer:
**Requirements:**
* Windows 10, version 1703
* Windows 10, version 1703 or later
Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
@ -54,7 +54,7 @@ For this policy setting, the **type** and **scenario** attribute values are stat
|Health|2304|
|Uncategorized|7936|
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.

6
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1709 or later
- Windows 11
Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN.
@ -81,7 +82,7 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch
When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
>[!IMPORTANT]
> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer.
@ -114,7 +115,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
You can configure Windows to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
1. Edit the Group Policy object from Step 1.
@ -188,6 +189,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
**Applies to:**
- Windows 10, version 1803 or later
- Windows 11
- Azure AD joined
The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.

7
windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
**Requirements**
- Windows 10
- Windows 11
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
@ -36,9 +37,9 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
- Biometric enrollments
- Windows 10, version 1809
- Windows 10, version 1809 or later
Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 or later introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
### How does it work
@ -48,7 +49,7 @@ A certificate on a smart card starts with creating an asymmetric key pair using
This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN.
### Compatibility

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -18,7 +18,9 @@ ms.reviewer:
# Windows Hello for Business and Authentication
**Applies to:**
- Windows 10
- Windows 11
Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.<br>
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.<br>

7
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -16,9 +16,10 @@ ms.date: 08/19/2018
ms.reviewer:
---
# Windows Hello for Business Provisioning
<span id="windows-hello-for-business-provisioning" />
<b>Applies to:</b>
**Applies to:**
- Windows 10
- Windows 11
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
- How the device is joined to Azure Active Directory
@ -48,7 +49,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Azure AD joined provisioning in a Federated environment
![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png)
![Azure AD joined provisioning in Managed environment.](images/howitworks/prov-aadj-federated.png)
| Phase | Description |
| :----: | :----------- |

19
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -19,6 +19,7 @@ ms.reviewer:
**Applies to:**
- Windows 10
- Windows 11
- [Attestation Identity Keys](#attestation-identity-keys)
- [Azure AD Joined](#azure-ad-joined)
@ -44,15 +45,15 @@ ms.reviewer:
<hr>
## Attestation Identity Keys
Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
> [!NOTE]
> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device.
Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
@ -102,7 +103,7 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations
[Return to Top](hello-how-it-works-technology.md)
## Cloud Experience Host
In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
### Related topics
[Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md)
@ -138,7 +139,7 @@ The endorsement key is often accompanied by one or two digital certificates:
- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
### Related topics
[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
@ -279,15 +280,15 @@ The trust type determines how a user authenticates to the Active Directory to ac
A Trusted Platform Module (TPM) is a hardware component that provides unique security features.<br>
Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](../../information-protection/tpm/tpm-recommendations.md).
Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md).
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:

9
windows/security/identity-protection/hello-for-business/hello-how-it-works.md
View File

@ -15,11 +15,12 @@ localizationpriority: medium
ms.date: 05/05/2018
ms.reviewer:
---
# How Windows Hello for Business works
# How Windows Hello for Business works in Windows Devices
**Applies to**
- Windows 10
- Windows 11
Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
@ -34,7 +35,7 @@ Windows Hello for Business is a distributed system that uses several components
Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
For more information read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
### Provisioning
@ -44,11 +45,11 @@ Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business pr
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
For more information read [how provisioning works](hello-how-it-works-provisioning.md).
For more information, read [how provisioning works](hello-how-it-works-provisioning.md).
### Authentication
With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.

14
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10
- Windows 11
- Azure Active Directory joined
- Hybrid Deployment
- Key trust model
@ -50,7 +51,7 @@ You can use the **dsregcmd.exe** command to determine if your device is register
### CRL Distribution Point (CDP)
Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.
Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.
![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
@ -75,7 +76,7 @@ Certificate authorities write CRL distribution points in certificates as they ar
#### Why does Windows need to validate the domain controller certificate?
Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
- The domain controller has the private key for the certificate provided.
- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**.
@ -212,7 +213,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash).
5. Select **\<CaName>** from the **Variable** list and click **Insert**. Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**. Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
7. Select the CDP you just created.
7. Select the CDP you just created. <br/>
![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png)
8. Select **Publish CRLs to this location**.
9. Select **Publish Delta CRLs to this location**.
@ -261,7 +262,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.</br>
![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
## Configure and Assign a Trusted Certificate Device Configuration Profile
Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails.
@ -281,7 +281,7 @@ Steps you will perform include:
![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png)
6. In the **Certificate Export Wizard**, click **Next**.
7. On the **Export File Format** page of the wizard, click **Next**.
8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box. <br>
![Export root certificate.](images/aadj/certlm-export-root-certificate.png)
9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**.
@ -315,7 +315,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
> [!IMPORTANT]
> The default minimum PIN length for Windows Hello for Business on Windows 10 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six.
> The default minimum PIN length for Windows Hello for Business on Windows 10 and Windows 11 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six.
9. Select the appropriate configuration for the following settings:
* **Lowercase letters in PIN**
@ -325,7 +325,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
* **Remember PIN history**
> [!NOTE]
> The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
> The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
11. Select **No** to **Allow phone sign-in**. This feature has been deprecated.

26
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -20,7 +20,9 @@ ms.reviewer:
# Using Certificates for AADJ On-premises Single-sign On
**Applies to:**
- Windows 10
- Windows 11
- Azure Active Directory joined
- Hybrid Deployment
- Certificate trust
@ -45,7 +47,7 @@ You need to install and configure additional infrastructure to provide Azure AD
- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
### High Availaibilty
### High Availability
The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
@ -205,7 +207,7 @@ Sign-in to the issuing certificate authority or management workstations with _Do
10. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template
During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
@ -321,7 +323,7 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
3. Select **Trust this user for delegation to specified services only**.
4. Select **Use any authentication protocol**.
5. Click **Add**.
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**.
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**.
![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
@ -414,11 +416,11 @@ Sign-in a workstation with access equivalent to a _domain user_.
6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png)
![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png)
![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png)
![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
#### Create a Connector Group
@ -478,12 +480,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
![NDES IIS Console.](images/aadjcert/ndes-iis-console.png)
![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
3. Click **Bindings...*** under **Actions**. Click **Add**.
![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png)
![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png)
4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png)
![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png)
6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box.
8. Close **Internet Information Services (IIS) Manager**.
@ -507,12 +509,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source.
![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png)
![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png)
Confirm the web site uses the server authentication certificate.
![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png)
![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png)
## Configure Network Device Enrollment Services to work with Microsoft Intune

1
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10
- Windows 11
- Azure Active Directory joined
- Hybrid deployment

3
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
View File

@ -1,6 +1,6 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust depoyments rely on.
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust

86
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -20,10 +20,10 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust
Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
> [!IMPORTANT]
@ -33,15 +33,17 @@ Your environment is federated and you are ready to configure device registration
>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
Use this three-phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
> [!NOTE]
> Before proceeding, you should familiarize yourself with device registration concepts such as:
> * Azure AD registered devices
> * Azure AD joined devices
> * Hybrid Azure AD joined devices
>
> - Azure AD registered devices
> - Azure AD joined devices
> - Hybrid Azure AD joined devices
>
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
@ -49,6 +51,7 @@ Use this three-phased approach for configuring device registration.
> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal)
@ -91,8 +94,8 @@ Sign-in to the domain controller hosting the schema master operational role usin
> [!NOTE]
> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
### Setup Active Directory Federation Services
If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service.
@ -103,28 +106,27 @@ Once you have your AD FS design ready, review [Deploying a Federation Server far
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
#### ADFS Web Proxy ###
Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network.
Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment.
### Deploy Azure AD Connect
Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
### Create AD objects for AD FS Device Authentication
If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
![Device Registration.](images/hybridct/device1.png)
If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
![Device Registration: AD FS](images/hybridct/device1.png)
> [!NOTE]
> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1.
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
![Device Registration.](images/hybridct/device2.png)
![Device Registration: Overview](images/hybridct/device2.png)
2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
`Import-module activedirectory`
`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>"`
3. On the pop-up window click **Yes**.
@ -132,22 +134,21 @@ If your AD FS farm is not already configured for Device Authentication (you can
> [!NOTE]
> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
![Device Registration.](images/hybridct/device3.png)
![Device Registration: Domain](images/hybridct/device3.png)
The above PSH creates the following objects:
- RegisteredDevices container under the AD domain partition
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
![Device Registration.](images/hybridct/device4.png)
![Device Registration: Tests](images/hybridct/device4.png) <br>
4. Once this is done, you will see a successful completion message.
![Device Registration.](images/hybridct/device5.png)
![Device Registration: Completion](images/hybridct/device5.png)
### Create Service Connection Point (SCP) in Active Directory
If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
1. Open Windows PowerShell and execute the following:
`PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"`
@ -155,21 +156,19 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure
> [!NOTE]
> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
![Device Registration.](images/hybridct/device6.png)
![Device Registration AdPrep](images/hybridct/device6.png)
2. Provide your Azure AD global administrator credentials
`PS C:>$aadAdminCred = Get-Credential`
![Device Registration.](images/hybridct/device7.png)
![Device Registration: Credential](images/hybridct/device7.png)
3. Run the following PowerShell command
`PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred`
Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.
The above commands enable Windows clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.
### Prepare AD for Device Write Back
To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following.
@ -186,6 +185,7 @@ The above command creates the following objects for device write back to AD DS,
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
### Enable Device Write Back in Azure AD Connect
If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
## Configure AD FS to use Azure registered devices
@ -212,17 +212,17 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints:
The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
* `http://schemas.microsoft.com/ws/2012/01/accounttype`
* `http://schemas.microsoft.com/identity/claims/onpremobjectguid`
* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
- `http://schemas.microsoft.com/ws/2012/01/accounttype`
- `http://schemas.microsoft.com/identity/claims/onpremobjectguid`
- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
If you have more than one verified domain name, you need to provide the following claim for computers:
* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`
- `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`
If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers:
* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
- `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
In the following sections, you find information about:
@ -238,6 +238,8 @@ The definition helps you to verify whether the values are present or if you need
**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this:
```powershell
@RuleName = "Issue account type for domain-joined computers"
c:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
@ -248,11 +250,14 @@ The definition helps you to verify whether the values are present or if you need
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "DJ"
);
```
#### Issue objectGUID of the computer account on-premises
**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
```powershell
@RuleName = "Issue object GUID for domain-joined computers"
c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
@ -270,11 +275,14 @@ The definition helps you to verify whether the values are present or if you need
query = ";objectguid;{0}",
param = c2.Value
);
```
#### Issue objectSID of the computer account on-premises
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
```powershell
@RuleName = "Issue objectSID for domain-joined computers"
c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
@ -287,11 +295,14 @@ The definition helps you to verify whether the values are present or if you need
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(claim = c2);
```
#### Issue issuerID for computer when multiple verified domain names in Azure AD
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
```powershell
@RuleName = "Issue account type with the value User when it is not a computer"
NOT EXISTS(
@ -333,7 +344,7 @@ The definition helps you to verify whether the values are present or if you need
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = "http://<verified-domain-name>/adfs/services/trust/"
);
```
In the claim above,
@ -341,12 +352,14 @@ In the claim above,
- `<verified-domain-name>` is a placeholder you need to replace with one of your verified domain names in Azure AD
For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](/azure/active-directory/active-directory-add-domain).
To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet.
To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0&preserve-view=true) cmdlet.
#### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set)
**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows:
```powershell
@RuleName = "Issue ImmutableID for computers"
c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
@ -364,11 +377,14 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]
query = ";objectguid;{0}",
param = c2.Value
);
```
#### Helper script to create the AD FS issuance transform rules
The following script helps you with the creation of the issuance transform rules described above.
```powershell
$multipleVerifiedDomainNames = $false
$immutableIDAlreadyIssuedforUsers = $false
$oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains
@ -487,7 +503,7 @@ The following script helps you with the creation of the issuance transform rules
$crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
```
#### Remarks
@ -495,20 +511,21 @@ The following script helps you with the creation of the issuance transform rules
- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule:
~~~
```Claims Rule Language
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/"));
~~~
```
- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.
#### Configure Device Authentication in AD FS
Using an elevated PowerShell command window, configure AD FS policy by executing the following command
`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken`
#### Check your configuration
For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work
- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=&lt;domain&gt;
@ -517,7 +534,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- Container Device Registration Service DKM under the above container
![Device Registration.](images/hybridct/device8.png)
![Device Registration: Container](images/hybridct/device8.png)
- object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
- read/write access to the specified AD connector account name on the new object
@ -531,6 +548,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
<hr>
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)

3
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust
@ -56,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning
<br>
## Public Key Infrastructure ##
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller.
Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority.

1
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust

3
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
View File

@ -1,6 +1,6 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust

3
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -17,10 +17,11 @@ ms.date: 4/30/2021
ms.reviewer:
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate Trust

5
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -17,11 +17,12 @@ ms.date: 4/30/2021
ms.reviewer:
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid Deployment
- Certificate Trust
@ -164,7 +165,7 @@ Sign-in to a certificate authority or management workstation with *Domain Admin*
### Creating Windows Hello for Business authentication certificate template
During Windows Hello for Business provisioning, a Windows 10 client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
During Windows Hello for Business provisioning, a Windows client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials.

11
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
View File

@ -16,18 +16,19 @@ localizationpriority: medium
ms.date: 4/30/2021
ms.reviewer:
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust
## Policy Configuration
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
@ -161,9 +162,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
### PIN Complexity
PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
* Require digits
* Require lowercase letters
* Maximum PIN length

1
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Certificate trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

5
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust
@ -31,7 +32,7 @@ The distributed systems on which these technologies were built involved several
* [Public Key Infrastructure](#public-key-infrastructure)
* [Directory Synchronization](#directory-synchronization)
* [Federation](#federation-with-azure)
* [MultiFactor Authentication](#multifactor-authentication)
* [Multifactor authentication](#multifactor-authentication)
* [Device Registration](#device-registration)
## Directories
@ -61,7 +62,7 @@ Review these requirements and those from the Windows Hello for Business planning
<br>
## Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller.
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
View File

@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid Deployment
- Key trust

15
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -20,20 +20,21 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust
## Policy Configuration
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
Hybrid Azure AD joined devices needs one Group Policy settings:
Hybrid Azure AD joined devices needs one Group Policy setting:
* Enable Windows Hello for Business
### Configure Domain Controllers for Automatic Certificate Enrollment
@ -75,7 +76,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
#### Enable Windows Hello for Business
@ -139,12 +140,12 @@ The default Windows Hello for Business enables users to enroll and use biometric
### PIN Complexity
PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
>[!IMPORTANT]
> Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor.
> Starting from Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor.
Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
* Require digits
* Require lowercase letters
* Maximum PIN length

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

4
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -24,10 +24,10 @@ This article lists the infrastructure requirements for the different deployment
## Cloud Only Deployment
* Windows 10, version 1511 or later
* Windows 10, version 1511 or later, or Windows 11
* Microsoft Azure Account
* Azure Active Directory
* Azure AD Multi-Factor Authentication
* Azure AD Multifactor Authentication
* Modern Management (Intune or supported third-party MDM), *optional*
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory

7
windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
View File

@ -16,10 +16,11 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Key trust
@ -101,7 +102,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
8. Click **Next** on the **Active Directory Federation Service** page.
9. Click **Install** to start the role installation.
## Review
## Review to validate
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm the AD FS farm uses the correct database configuration.
@ -213,7 +214,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th
3. In the details pane, click **Configure Device Registration**.
4. In the **Configure Device Registration** dialog, click **OK**.
## Review
## Review and validate
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm you followed the correct procedures based on the domain controllers used in your deployment

13
windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
View File

@ -16,16 +16,17 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Configure Windows Hello for Business Policy settings
# Configure Windows Hello for Business Policy settings - Key Trust
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Key trust
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
@ -35,7 +36,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs on
The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows 10.
If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows.
## Create the Windows Hello for Business Group Policy object
@ -92,9 +93,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
### PIN Complexity
PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
* Require digits
* Require lowercase letters
* Maximum PIN length

3
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
View File

@ -16,10 +16,11 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Validate Active Directory prerequisites
# Validate Active Directory prerequisites - Key Trust
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Key trust

5
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
View File

@ -16,14 +16,15 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Validate and Deploy Multi-factor Authentication (MFA)
# Validate and Deploy Multifactor Authentication (MFA)
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Key trust

5
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -17,10 +17,11 @@ ms.date: 08/19/2018
ms.reviewer:
---
# Validate and Configure Public Key Infrastructure
# Validate and Configure Public Key Infrastructure - Key Trust
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Key trust
@ -114,7 +115,7 @@ The certificate template is configured to supersede all the certificate template
### Configure an Internal Web Server Certificate template
Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Windows clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.

3
windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
View File

@ -1,5 +1,5 @@
---
title: Manage Windows Hello in your organization (Windows 10)
title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
ms.reviewer:
@ -22,6 +22,7 @@ ms.date: 1/20/2021
**Applies to**
- Windows 10
- Windows 11
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.

7
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows Hello for Business Overview (Windows 10)
title: Windows Hello for Business Overview (Windows)
ms.reviewer: An overview of Windows Hello for Business
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10.
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@ -20,6 +20,7 @@ localizationpriority: medium
**Applies to**
- Windows 10
- Windows 11
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
@ -47,7 +48,7 @@ As an administrator in an enterprise or educational organization, you can create
Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11.
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).

7
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10
- Windows 11
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
@ -145,7 +146,7 @@ Modern management is an emerging device management paradigm that leverages the c
### Client
Windows Hello for Business is an exclusive Windows 10 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows 10 and introduced support for new scenarios.
Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios.
Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
@ -156,7 +157,7 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
### Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
### Cloud
@ -267,7 +268,7 @@ If you use modern management for both domain and non-domain joined devices, writ
### Client
Windows Hello for Business is a feature exclusive to Windows 10. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
> [!NOTE]

3
windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
View File

@ -1,5 +1,5 @@
---
title: Prepare people to use Windows Hello (Windows 10)
title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
ms.reviewer:
@ -22,6 +22,7 @@ ms.date: 08/19/2018
**Applies to**
- Windows 10
- Windows 11
When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.

3
windows/security/identity-protection/hello-for-business/hello-videos.md
View File

@ -1,6 +1,6 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10.
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
ms.mktglfcycl: deploy
@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10
- Windows 11
## Overview of Windows Hello for Business and Features

3
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -1,5 +1,5 @@
---
title: Why a PIN is better than a password (Windows 10)
title: Why a PIN is better than a password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
ms.reviewer:
@ -23,6 +23,7 @@ ms.date: 10/23/2017
**Applies to**
- Windows 10
- Windows 11
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.

2
windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft-compatible security key
description: Learn how a Microsoft-compatible security key for Windows 10 is different (and better) than any other FIDO2 security key.
description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
keywords: FIDO2, security key, CTAP, Hello, WHFB
ms.prod: w10
ms.mktglfcycl: deploy

8
windows/security/identity-protection/hello-for-business/passwordless-strategy.md
View File

@ -1,6 +1,6 @@
---
title: Passwordless Strategy
description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10.
description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
ms.mktglfcycl: deploy
@ -25,7 +25,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a
### 1. Develop a password replacement offering
Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
@ -38,7 +38,7 @@ Once the user-visible password surface has been eliminated, your organization ca
- the users never change their password
- the users do not know their password
In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
In this world, the user signs in to Windows using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
### 4. Eliminate passwords from the identity directory
The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment.
@ -139,7 +139,7 @@ The journey to password freedom is to take each work persona through each step o
After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process.
### Passwordless replacement offering (Step 1)
The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
#### Identify test users that represent the targeted work persona
A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.

4
windows/security/identity-protection/hello-for-business/reset-security-key.md
View File

@ -1,6 +1,6 @@
---
title: Reset-security-key
description: Windows<EFBFBD>10 enables users to sign in to their device using a security key. How to reset a security key
description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
keywords: FIDO2, security key, CTAP, Microsoft-compatible security key
ms.prod: w10
ms.mktglfcycl: deploy
@ -31,7 +31,7 @@ Follow the instructions in the Settings app and look for specific instructions b
|Security key manufacturer</br> | Reset instructions </br> |
| --- | --- |
|Yubico | **USB:** Remove and re-insert the security key. When the LED on the security key begins flashing, touch the metal contact <br> **NFC:** Tap the security key on the reader <br>|
|Yubico | **USB:** Remove and reinsert the security key. When the LED on the security key begins flashing, touch the metal contact <br> **NFC:** Tap the security key on the reader <br>|
|Feitian | Touch the blinking fingerprint sensor twice to reset the key|
|HID | Tap the card on the reader twice to reset it |

14
windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
View File

@ -1,5 +1,5 @@
---
title: How Windows Hello for Business works (Windows 10)
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,10 +13,12 @@ ms.reviewer:
manager: dansimp
ms.topic: article
---
# How Windows Hello for Business works
# How Windows Hello for Business works in Windows devices
**Applies to**
- Windows 10
- Windows 11
- Windows 10 Mobile
Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
@ -30,15 +32,15 @@ A goal of device registration is to allow a user to open a brand-new device, sec
The registration process works like this:
1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users dont have to do anything extra to enable it.
1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 or Windows 11 device automatically sets up Windows Hello on the device; users dont have to do anything extra to enable it.
2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately
The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 or Windows 11 device the user has not previously signed in to.
- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 and Windows 11 device the user has not previously signed in to.
When the user has completed this process, Windows Hello generates a new publicprivate key pair on the device. The TPM generates and protects this private key; if the device doesnt have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. Its associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
@ -46,7 +48,7 @@ At this point, the user has a PIN gesture defined on the device and an associate
## Whats a container?
Youll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the users Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
Youll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the users Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.

5
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -14,15 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 09/06/2021
ms.technology: mde
---
# Advanced security audit policy settings
**Applies to**
- Windows 10
This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:

7
windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
View File

@ -15,13 +15,12 @@ metadata:
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 09/06/2021
ms.technology: mde
title: Advanced security auditing FAQ
summary: |
**Applies to**
- Windows 10
This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.

5
windows/security/threat-protection/auditing/advanced-security-auditing.md
View File

@ -14,15 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 09/6/2021
ms.technology: mde
---
# Advanced security audit policies
**Applies to**
- Windows 10
Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.

6
windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
ms.date: 09/06/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# Appendix A: Security monitoring recommendations for many audit events
**Applies to**
- Windows 10
- Windows Server 2016
This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.

5
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -14,15 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/25/2018
ms.date: 09/06/2021
ms.technology: mde
---
# Apply a basic audit policy on a file or folder
**Applies to**
- Windows 10
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.

7
windows/security/threat-protection/auditing/audit-account-lockout.md
View File

@ -11,17 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 07/16/2018
ms.date: 09/06/2021
ms.technology: mde
---
# Audit Account Lockout
**Applies to**
- Windows 10
- Windows Server 2016
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out.

6
windows/security/threat-protection/auditing/audit-application-generated.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
ms.date: 09/06/2021
ms.technology: mde
---
# Audit Application Generated
**Applies to**
- Windows 10
- Windows Server 2016
Audit Application Generated generates events for actions related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)).
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012.

6
windows/security/threat-protection/auditing/audit-application-group-management.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
ms.date: 09/06/2021
ms.technology: mde
---
# Audit Application Group Management
**Applies to**
- Windows 10
- Windows Server 2016
Audit Application Group Management generates events for actions related to [application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)), such as group creation, modification, addition or removal of group member and some other actions.
[Application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)) are used by [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)).

6
windows/security/threat-protection/auditing/audit-audit-policy-change.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
ms.date: 09/06/2021
ms.technology: mde
---
# Audit Audit Policy Change
**Applies to**
- Windows 10
- Windows Server 2016
Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.

Some files were not shown because too many files have changed in this diff Show More