From 2ea579bd357aeb67765fccce9dd0c84a0bc1d132 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 3 Jun 2021 11:12:08 -0700 Subject: [PATCH 01/20] CI 144624 - created article, updated TOC --- .../hello-aad-join-cloud-only-deploy.md | 94 +++++++++++++++++++ .../hello-for-business/toc.yml | 2 + 2 files changed, 96 insertions(+) create mode 100644 windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md new file mode 100644 index 0000000000..f46f11f58a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -0,0 +1,94 @@ +--- +title: Azure Active Directory join cloud only deployment +description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device. +keywords: identity, Hello, Active Directory, cloud, +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +audience: ITPro +author: mapalko +ms.author: mapalko +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +localizationpriority: medium +ms.date: 06/03/2021 +ms.reviewer: +--- +# Azure Active Directory Join Cloud Only Deployment + +## Introduction + +When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. + +> [!NOTE} +> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. + +## Prerequisites + +This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there is no additional MFA configuration needed. If you are not already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification#cloud-only-deployment). + +> [!NOTE] +> It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. + +You can check and view this setting with the following MSOnline PowerShell command: + +`Get-MsolDomainFederationSettings –DomainName ` + +## Use Intune to disable Windows Hello for Business enrollment + +We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/windows-hello). + +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you are not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. + +To disable this, run the following command. Note that this impacts **all** Azure AD MFA scenarios for this federated domain. + +`Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false` + +Example: + +`Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false` + +If you use this Supports MFA switch with value True, you will need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. + +## Create a Windows Hello for Business policy + +1. Sign into the Microsoft Endpoint Manager admin center. +2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. +3. Select from the following options for Configure Windows Hello for Business: + + 1. **Disabled**: If you do not want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + +## Disable Windows Hello for Business enrollment without Intune + +The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you do not manage them with Intune. This can also be set manually on the specific device(s). + +These are Azure AD joined only systems and not domain joined systems, so these settings could be made in the registry on the device(s) when Intune is not used. + +These are the registry settings an Intune policy would set. If you are not using Intune, it is recommended to use the Intune Device Policy registry settings manually to disable this. + +Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** + +These are the registry settings pushed from Intune for user policies for your reference. + +Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** +DWORD: **UsePassportForWork** +Value = **0** for Disable, or Value = **1** for Enable + +These are the registry settings for Local or Group Policies for your reference. + +Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** +Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** +DWORD: **Enabled** +Value = **0** for Disable or Value = **1** for Enable + +If there is a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We do not recommend creating Local/GPO registry settings that could conflict with an Intune policy. This could lead to unexpected results. + +## Related reference documents for Azure AD join scenarios + +- [Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join) +- [Plan your Azure Active Directory device deployment](https://docs.microsoft.com/azure/active-directory/devices/plan-device-deployment) +- [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan) +- [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin) +- [Manage device identities using the Azure portal](https://docs.microsoft.com/azure/active-directory/devices/device-management-azure-portal) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 5c90875208..ec30c22aec 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -101,6 +101,8 @@ href: hello-cert-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md + - name: Azure AD join cloud only deployment + href: hello-aad-join-cloud-only-deploy - name: Managing Windows Hello for Business in your organization href: hello-manage-in-organization.md - name: Deploying Certificates to Key Trust Users to Enable RDP From c95cf2df28f757b0b515ca89a45e0e42c0d77693 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 3 Jun 2021 11:20:36 -0700 Subject: [PATCH 02/20] Updates --- .../hello-aad-join-cloud-only-deploy.md | 14 +++++++------- .../identity-protection/hello-for-business/toc.yml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index f46f11f58a..d9cc726083 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -27,7 +27,7 @@ When you Azure Active Directory (Azure AD) join a Windows 10 device, the system ## Prerequisites -This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there is no additional MFA configuration needed. If you are not already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification#cloud-only-deployment). +This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there is no additional MFA configuration needed. If you are not already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). > [!NOTE] > It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. @@ -38,7 +38,7 @@ You can check and view this setting with the following MSOnline PowerShell comma ## Use Intune to disable Windows Hello for Business enrollment -We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/windows-hello). +We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you are not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. @@ -87,8 +87,8 @@ If there is a conflicting Device policy and User policy, the device policy or co ## Related reference documents for Azure AD join scenarios -- [Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join) -- [Plan your Azure Active Directory device deployment](https://docs.microsoft.com/azure/active-directory/devices/plan-device-deployment) -- [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan) -- [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin) -- [Manage device identities using the Azure portal](https://docs.microsoft.com/azure/active-directory/devices/device-management-azure-portal) +- [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) +- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment) +- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan) +- [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin) +- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index ec30c22aec..60161ce7da 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -102,7 +102,7 @@ - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - name: Azure AD join cloud only deployment - href: hello-aad-join-cloud-only-deploy + href: hello-aad-join-cloud-only-deploy.md - name: Managing Windows Hello for Business in your organization href: hello-manage-in-organization.md - name: Deploying Certificates to Key Trust Users to Enable RDP From 379f43396b78e8cfb6a62eddc2c5df7f70e6147f Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 3 Jun 2021 11:28:52 -0700 Subject: [PATCH 03/20] Acrolinx --- .../hello-aad-join-cloud-only-deploy.md | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index d9cc726083..460b06dd45 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -23,11 +23,11 @@ ms.reviewer: When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. > [!NOTE} -> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD join, you'll see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites -This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there is no additional MFA configuration needed. If you are not already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). +This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there's no other MFA configuration needed. If you're not already registered in Azure AD MFA, you'll be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). > [!NOTE] > It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. @@ -40,9 +40,12 @@ You can check and view this setting with the following MSOnline PowerShell comma We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you are not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you're not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. -To disable this, run the following command. Note that this impacts **all** Azure AD MFA scenarios for this federated domain. +To disable Windows Hello for Business, run the following command. + +> [!NOTE] +> This action impacts **all** Azure AD MFA scenarios for this federated domain. `Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false` @@ -50,7 +53,7 @@ Example: `Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false` -If you use this Supports MFA switch with value True, you will need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. +If you use this Supports MFA switch with value True, you'll need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. ## Create a Windows Hello for Business policy @@ -58,32 +61,32 @@ If you use this Supports MFA switch with value True, you will need to verify you 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. 3. Select from the following options for Configure Windows Hello for Business: - 1. **Disabled**: If you do not want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. ## Disable Windows Hello for Business enrollment without Intune -The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you do not manage them with Intune. This can also be set manually on the specific device(s). +The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). -These are Azure AD joined only systems and not domain joined systems, so these settings could be made in the registry on the device(s) when Intune is not used. +These systems are Azure AD joined only, and aren't domain joined systems, so these settings could be made in the registry on the device(s) when Intune isn't used. -These are the registry settings an Intune policy would set. If you are not using Intune, it is recommended to use the Intune Device Policy registry settings manually to disable this. +These registry settings are the settings an Intune policy would set. If you're not using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable the policy. Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** -These are the registry settings pushed from Intune for user policies for your reference. +These registry settings are pushed from Intune for user policies for your reference. Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** DWORD: **UsePassportForWork** Value = **0** for Disable, or Value = **1** for Enable -These are the registry settings for Local or Group Policies for your reference. +These registry settings are for Local or Group Policies for your reference. Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** DWORD: **Enabled** Value = **0** for Disable or Value = **1** for Enable -If there is a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We do not recommend creating Local/GPO registry settings that could conflict with an Intune policy. This could lead to unexpected results. +If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. Creating these settings could lead to unexpected results. ## Related reference documents for Azure AD join scenarios From 41729287484cce224bbf1f877ba3c1068865c316 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 3 Jun 2021 11:36:42 -0700 Subject: [PATCH 04/20] Note fix --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 460b06dd45..0536abfc83 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -22,7 +22,7 @@ ms.reviewer: When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. -> [!NOTE} +> [!NOTE] > During the out-of-box experience (OOBE) flow of an Azure AD join, you'll see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites From 228379457f489af03b3fa80fd97f44a437a2b231 Mon Sep 17 00:00:00 2001 From: dutch2005 Date: Fri, 4 Jun 2021 15:15:57 +0200 Subject: [PATCH 05/20] Update audit-other-privilege-use-events.md Added additional information about event 4985 (S) + link on an other document providing additional information about the subject. --- .../auditing/audit-other-privilege-use-events.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 87c74a4998..9883e2ee86 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -23,6 +23,7 @@ ms.technology: mde This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. +This refers to : https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985 - (4985(S): The state of a transaction has changed. used by the file system transaction manager. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| From 2a9e697360c9000f9c25ac524752e0e3e4d07371 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:37:14 -0700 Subject: [PATCH 06/20] Update from meeting --- .../hello-aad-join-cloud-only-deploy.md | 56 ++++++++++--------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 0536abfc83..cc8ce73b29 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -16,36 +16,30 @@ localizationpriority: medium ms.date: 06/03/2021 ms.reviewer: --- -# Azure Active Directory Join Cloud Only Deployment +# Azure AD Joined Cloud Only Deployment ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. +When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. + +You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. > [!NOTE] -> During the out-of-box experience (OOBE) flow of an Azure AD join, you'll see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites -This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there's no other MFA configuration needed. If you're not already registered in Azure AD MFA, you'll be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). +This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. -> [!NOTE] -> It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. +The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). -You can check and view this setting with the following MSOnline PowerShell command: +Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells AAD that the federated IDP will perform the MFA challenge. + +Check and view this setting with the following MSOnline PowerShell command: `Get-MsolDomainFederationSettings –DomainName ` -## Use Intune to disable Windows Hello for Business enrollment - -We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). - -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you're not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. - -To disable Windows Hello for Business, run the following command. - -> [!NOTE] -> This action impacts **all** Azure AD MFA scenarios for this federated domain. +To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain. `Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false` @@ -53,40 +47,51 @@ Example: `Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false` -If you use this Supports MFA switch with value True, you'll need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. +If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. + +## Use Intune to disable Windows Hello for Business enrollment + +We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). + +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. ## Create a Windows Hello for Business policy -1. Sign into the Microsoft Endpoint Manager admin center. +1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. -3. Select from the following options for Configure Windows Hello for Business: +3. Select from the following options for **Configure Windows Hello for Business**: - 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + +> [!NOTE] +> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md). ## Disable Windows Hello for Business enrollment without Intune The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). -These systems are Azure AD joined only, and aren't domain joined systems, so these settings could be made in the registry on the device(s) when Intune isn't used. +Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. -These registry settings are the settings an Intune policy would set. If you're not using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable the policy. +Here are the registry settings an Intune policy would set. If you aren't using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable Windows Hello For Business enrollment. Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** +To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) + These registry settings are pushed from Intune for user policies for your reference. Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** DWORD: **UsePassportForWork** Value = **0** for Disable, or Value = **1** for Enable -These registry settings are for Local or Group Policies for your reference. +For your reference, these registry settings can be applied from Local or Group Policies. Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** DWORD: **Enabled** Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. Creating these settings could lead to unexpected results. +If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios @@ -95,3 +100,4 @@ If there's a conflicting Device policy and User policy, the device policy or com - [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan) - [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin) - [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal) +- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md) From 42615359a75080bbdb4049fa7c888e54efd490c4 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:42:56 -0700 Subject: [PATCH 07/20] Update --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index cc8ce73b29..d4468e7fc9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -55,7 +55,7 @@ We recommend that you disable or manage Windows Hello for Business provisioning However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. -## Create a Windows Hello for Business policy +## Create a Windows Hello for Business Enrollment policy 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. From ebb0962a44d53607b21c310bd28a85b80ebe6e20 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:48:42 -0700 Subject: [PATCH 08/20] fixed link --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index d4468e7fc9..cc20211379 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -76,7 +76,7 @@ Here are the registry settings an Intune policy would set. If you aren't using I Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** -To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. From 1d175118dc6de3a2bf6e591b558768cacd5fa707 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:54:08 -0700 Subject: [PATCH 09/20] Added indents. Removed spaces. --- .../hello-aad-join-cloud-only-deploy.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index cc20211379..b5aa653cdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -27,9 +27,9 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom > [!NOTE] > During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. -## Prerequisites +## Prerequisites -This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. +This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). @@ -49,7 +49,7 @@ Example: If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. -## Use Intune to disable Windows Hello for Business enrollment +## Use Intune to disable Windows Hello for Business enrollment We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). @@ -68,7 +68,7 @@ However, not everyone uses Intune. The following method explains how to disable ## Disable Windows Hello for Business enrollment without Intune -The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). +The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. @@ -80,18 +80,18 @@ To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/ These registry settings are pushed from Intune for user policies for your reference. -Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** -DWORD: **UsePassportForWork** -Value = **0** for Disable, or Value = **1** for Enable +- Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** +- DWORD: **UsePassportForWork** +- Value = **0** for Disable, or Value = **1** for Enable For your reference, these registry settings can be applied from Local or Group Policies. -Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** -Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** -DWORD: **Enabled** -Value = **0** for Disable or Value = **1** for Enable +- Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** +- Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** +- DWORD: **Enabled** +- Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. +If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios From 50cdba229bad471d1e5e215c7e9686e9eb9285a8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:48:44 -0700 Subject: [PATCH 10/20] Update windows/security/threat-protection/auditing/audit-other-privilege-use-events.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../auditing/audit-other-privilege-use-events.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 9883e2ee86..2e147e1fde 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -23,7 +23,6 @@ ms.technology: mde This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. -This refers to : https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985 - (4985(S): The state of a transaction has changed. used by the file system transaction manager. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| @@ -36,4 +35,3 @@ This refers to : https://docs.microsoft.com/en-us/windows/security/threat-protec - [4985](event-4985.md)(S): The state of a transaction has changed. - From d43d7a8504a3676dbf0107d6d0ead84b090846d7 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:50:33 -0700 Subject: [PATCH 11/20] Update audit-other-privilege-use-events.md --- .../auditing/audit-other-privilege-use-events.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 2e147e1fde..7e8dea77c3 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -21,8 +21,7 @@ ms.technology: mde - Windows 10 - Windows Server 2016 - -This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. +This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985). | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| From aa92580204aca962bbc54ed0ebe7e2d972814f64 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 17 Jun 2021 16:01:09 -0700 Subject: [PATCH 12/20] Added MEMCM clarification --- .../deployment/deploy-wdac-policies-with-memcm.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 73357d0809..a8d37771c9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -35,6 +35,8 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) - [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints. +Please be aware that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot, or wait for the next reboot. + For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) ## Deploy custom WDAC policies using Packages/Programs or Task Sequences From afae51855042cfe4c59a72fab5c65086cd0cf566 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 17 Jun 2021 16:23:28 -0700 Subject: [PATCH 13/20] Added FIle Rule Precedence Order --- .../select-types-of-rules-to-create.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 1f5068600a..e03aed4e50 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -120,6 +120,9 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. +## File rule precedence order +WDAC has a built in file rule conflict logic that translates to as precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). + ## More information about filepath rules Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder. From fd05fdfcbfcb588e46dfb9e3a89117cb6763352b Mon Sep 17 00:00:00 2001 From: 38cat <85171837+38cat@users.noreply.github.com> Date: Fri, 18 Jun 2021 15:57:40 +0900 Subject: [PATCH 14/20] Update policy-csp-localusersandgroups.md Windows 10, version 20H2 was already released. Is this warning need? --- .../client-management/mdm/policy-csp-localusersandgroups.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 68938fa3b7..5f21ba8658 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - LocalUsersAndGroups -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
From ad30fcef294b1f0efa6b8853b0efdc0d49bef2e9 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 18 Jun 2021 10:03:16 -0700 Subject: [PATCH 15/20] Added the suggested edits. --- .../deployment/deploy-wdac-policies-with-memcm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index a8d37771c9..c5fd34e870 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -35,7 +35,7 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) - [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints. -Please be aware that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot, or wait for the next reboot. +Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) From 503f2da0abecffe98fe95c5f564311dc13949ce0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 18 Jun 2021 10:18:23 -0700 Subject: [PATCH 16/20] Added the suggested edits. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index e03aed4e50..99f5695221 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,7 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built in file rule conflict logic that translates to as precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From 98918dc567478c00c37821b66c79b0ba1107fe72 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 21 Jun 2021 09:10:40 -0700 Subject: [PATCH 17/20] Update windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 99f5695221..b06abc4571 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,7 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From 68bd4770c1ef05350b32668dc394d3e14db2c1c2 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 23 Jun 2021 08:27:38 -0700 Subject: [PATCH 18/20] Matt Palko edits --- .../hello-aad-join-cloud-only-deploy.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index b5aa653cdc..b195744150 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 06/03/2021 +ms.date: 06/23/2021 ms.reviewer: --- # Azure AD Joined Cloud Only Deployment @@ -25,15 +25,15 @@ When you Azure Active Directory (Azure AD) join a Windows 10 device, the system You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. > [!NOTE] -> During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites -This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. +Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process. The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). -Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells AAD that the federated IDP will perform the MFA challenge. +Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge. Check and view this setting with the following MSOnline PowerShell command: @@ -53,9 +53,9 @@ If you use this Supports MFA switch with value **True**, you must verify that yo We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. -## Create a Windows Hello for Business Enrollment policy +## Disable Windows Hello for Business using Intune Enrollment policy 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. @@ -72,11 +72,11 @@ The information below can be pushed out to the devices through a third-party MDM Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. -Here are the registry settings an Intune policy would set. If you aren't using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable Windows Hello For Business enrollment. +Here are the registry settings an Intune policy would set. Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** -To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. @@ -91,7 +91,7 @@ For your reference, these registry settings can be applied from Local or Group P - DWORD: **Enabled** - Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. +If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios From 6cb449cb45de2824e6d0aa0a1a240a5914441e5b Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 23 Jun 2021 08:49:57 -0700 Subject: [PATCH 19/20] Coded the reg strings --- .../hello-aad-join-cloud-only-deploy.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index b195744150..379f033684 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -74,20 +74,20 @@ Because these systems are Azure AD Joined only, and not domain joined, these set Here are the registry settings an Intune policy would set. -Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** +Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. -- Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** +- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies`** - DWORD: **UsePassportForWork** - Value = **0** for Disable, or Value = **1** for Enable For your reference, these registry settings can be applied from Local or Group Policies. -- Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** -- Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** +- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`** +- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`** - DWORD: **Enabled** - Value = **0** for Disable or Value = **1** for Enable From a9ac94ea0da7023a22d9e049af7095cbd79363ec Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Wed, 23 Jun 2021 11:07:01 -0700 Subject: [PATCH 20/20] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 05468dd64e..ee556ecef8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,8 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). + +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules