From 9ec74d0e0f89a39eece1640bef0b041b28b7f3fc Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 29 Aug 2023 10:42:18 -0400
Subject: [PATCH] updates
---
.../passwordless-experience.md | 92 +++++++++----------
windows/security/images/icons/key.svg | 3 +
2 files changed, 46 insertions(+), 49 deletions(-)
create mode 100644 windows/security/images/icons/key.svg
diff --git a/windows/security/identity-protection/passwordless-experience.md b/windows/security/identity-protection/passwordless-experience.md
index ce1f959190..96d4c14385 100644
--- a/windows/security/identity-protection/passwordless-experience.md
+++ b/windows/security/identity-protection/passwordless-experience.md
@@ -10,37 +10,48 @@ ms.topic: how-to
# Passwordless experience
-## Overview
+## Passwordless experience overview
-Starting in Windows 11, version 22H2 with [KB5030310](https://support.microsoft.com/kb/5030310)
+This feature allows organizations to configure devices with a policy that promotes a passwordless user experience on Microsoft Entra joined devices.
+Passwords are inherently not secure and can be stolen through social engineering attacks. While the goal is to have fully passwordless accounts in the organization, this is a fundamental step toward that goal.
-Starting in Windows 11, version 23H2, Passwordless experience is a security feature that enables your organization to move away from passwords. Once enable, Windows users can sign in to their devices using Windows Hello for Business or a FIDO2 security key only. This feature is available for Azure Active Directory (Azure AD) joined devices only.
+>[!NOTE]
+>Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
-This article explains how to enable Passwordless experience for your organization and describes the user experience.
+The policy affects only Entra ID accounts after they sign in to the device with stron credentials (Windows Hello for Business or FIDO2 security key). The policy does not affect the initial sign-in experience and local accounts.
+
+Once the policy is set:
+
+- Removes passwords from the user experience, both for device logon as well as in-session auth scenarios via CredUI
+- Users will navigate through their core authentication scenarios (WHFB/FIDO2 security keys etc)
+- If users are blocked, they can use a recovery mechanism such as PIN Reset or Web Sign-in
+
+Starting in Windows 11, version 22H2 with [KB5030310](https://support.microsoft.com/kb/5030310), *Passwordless experience* is a security policy thatpromotes a passwordless user experience on Microsoft Entra joined devices.
+Once enabled, Windows users can sign in to their devices using Windows Hello for Business or a FIDO2 security key only. This feature is available for Azure Active Directory (Azure AD) joined devices only.
+This article explains how to enable Passwordless experience and describes the user experience.
## Enable Passwordless experience with Intune
-
+[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| **Authentication** | Enable Passwordless Experience | Enabled |
-
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
-Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-1].
+Alternatively, you can configure devices using a [custom policy][INT-2] with the [Policy CSP][CSP-1].
| Setting |
|--------|
|
|
-
:::row:::
:::column span="2":::
- **Passwordless experience turned off**
+ **Passwordless experience turned off**: The user can sign in using a password, as indicated by the presence of the password credential provider icon :::image type="icon" source="../images/icons/key.svg" border="false"::: in the Windows lock screen.
:::column-end:::
:::column span="2":::
- **Passwordless experience turned on**
+ **Passwordless experience turned on**: The password credential provider icon :::image type="icon" source="../images/icons/key.svg" border="false"::: is missing for a user who enrolled in Windows Hello for Business or signed in with FIDO2 keys.
:::column-end:::
:::row-end:::
:::row:::
@@ -55,51 +66,38 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the
-'EnablePasswordlessExperience' is a policy (MDM) that promotes a passwordless user experience on AADJ machines (Hybrid is out of scope for now). It supports Windows core authentication scenarios without requiring passwords. This is a step towards a world without passwords, as we continue to invest in a journey towards passwordless.This new policy is a comprehensive policy for hiding passwords from Windows, compared to the existing GP.
+'EnablePasswordlessExperience' is a policy (MDM) that promotes a passwordless user experience on AADJ machines (Hybrid is out of scope for now). It supports Windows core authentication scenarios without requiring passwords. This is a step towards a world without passwords, as we continue to invest in a journey towards passwordless.
The existing GP, once configured, disables passwords for "All accounts", so there is no strong recovery mechanism to get on the machine. RDP, RunAs, and in-session auth scenarios are not supported with this GP.
However, our new feature will hide passwords from In-session auth scenarios like Password Manager in a web browser, Run as administrator, etc. It will also exclude 'Other User' from the policy, so you can log in from this account as a backup mechanism.
-Once the EnablePasswordlessExperience policy is set–
+Once the EnablePasswordlessExperience policy is set:
- It removes passwords from the user experience, both for device logon as well as in-session auth scenarios via CredUI.
- Users will navigate through their core authentication scenarios (WHFB/FIDO2 security keys, etc.)
-- If users are blocked, they can use a recovery mechanism such as PIN Reset or Web Sign-in. (September Feature to improve recovery mechanisms)
+- If users are blocked, they can use a recovery mechanism such as PIN Reset or Web Sign-in. (September Feature to improve recovery mechanisms)
+## Frequently Asked Questions
-## WHY
+Q: What is the difference between the existing GP and the new policy?
+A: This new policy is a comprehensive policy for hiding passwords from Windows, compared to the existing GP
-Passwords are inherently not secure, they are easily stolen through social engineering attacks
-
+Q: What happens if a user cannot sign in with biomentrics and forgot their PIN?
+A: The user can use the PIN Reset feature reset their PIN. Once the PIN Reset feature is configured, a user can reset a PIN from the lock screen and the Settings app.
+ :::image type="content" source="hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation showing the PIN Reset feature from the lock screen." lightbox="hello-for-business/images/pinreset/pin-reset.gif":::
-Our team's previous work has already paved the way for Microsoft Account in the consumer space to now offer [fully Passwordless accounts](https://www.microsoft.com/en-us/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/) (no password in the MSA identity directory). We are now following this playbook towards the same ultimate goal in the enterprise.
+## Recover a passwordless credential
+This feature aims to improve:
+- Above-lock Pin Reset flow
+- Web Sign-in Infrastructure
+ - On demand web-based experience for credential recovery
+ - Enable a web sign in policy : Cred provider primarily used as a bootstrap mechanism for enterprises [enablewebsignin][CSP-2]
+ - TAP is removed and is open to all Auth methods
-## WHAT
-
-This feature allows enterprise admins to set a policy (MDM) that promotes a Passwordless user experience on AAD joined machines. (Hybrid- Future scope)
-
-Once the policy is set:
-- Removes passwords from the user experience, both for device logon as well as in-session auth scenarios via CredUI
-- Users will navigate through their core authentication scenarios (WHFB/FIDO2 security keys etc)
-- If users are blocked, they can use a recovery mechanism such as PIN Reset or Web Sign-in
-
-
-### Recover a Passwordless credential on AADJ devices
-
-This feature aims to improve :
- - Above-lock Pin Reset flow
- - Web Sign-in Infrastructure
- - On demand web-based experience for credential recovery
- - Enable a web sign in policy : Cred provider primarily used as a bootstrap mechanism for enterprises [enablewebsignin](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-authentication#enablewebsignin)
- - TAP is removed and is open to all Auth methods
-
-If a user failed to recover their credentials, then he/she is locked out of their account and won't be able to log back in until there is some strong recovery mechanism. This improvement includes a reliable UI experience when a user clicks on "I forgot my PIN", on the first click user will be redirected to MFA web app for authentication and can change the PIN seamlessly. If TPM fails, on demand recovery flow will pop in. This work moves the Web Sign-in infrastructure from the CHX WebApp to LWH
-
- Note: Local Accounts and Other User are excluded
-
+If a user failed to recover their credentials, then he/she is locked out of their account and won't be able to log back in until there is some strong recovery mechanism. This improvement includes a reliable UI experience when a user clicks on "I forgot my PIN", on the first click user will be redirected to MFA web app for authentication and can change the PIN seamlessly. If TPM fails, on demand recovery flow will pop in. This work moves the Web Sign-in infrastructure from the CHX WebApp to LWH
Scenarios:
CTRL-ALT-DEL --> password change
@@ -114,21 +112,17 @@ How about FIDO2 key signin?
TAP changes?
Recovery Flow
-Example: When TPM is cleared out/something goes wrong, on demand web-based experience for credential recovery will show up.
-
-
+Example: When TPM is cleared out/something goes wrong, on demand web-based experience for credential recovery will show up.
## Sum up
-1) Windows Hello for Business passwordless experience
2) Web experience for credential recovery
-This new work moves the Web Sign-in infrastructure from the Cloud Host Experience (CHX) WebApp to the newly written Login Web Host (LWH) for the September moment. This now provides better security, reliability to support the existing as well as new workflows. We are using the same LWH infra previously built for EDU scenarios. This means, in addition to TAP, it is now opened to all AAD auth methods.
+This new work moves the Web Sign-in infrastructure from the Cloud Host Experience (CHX) WebApp to the newly written Login Web Host (LWH) for the September moment. This now provides better security, reliability to support the existing as well as new workflows. We are using the same LWH infra previously built for EDU scenarios. This means, in addition to TAP, it is now opened to all AAD auth methods.
PIN Reset flow is still the same, we have made some improvements, which include a reliable UI experience when a user clicks on "I forgot my PIN", on the first click, the user will be redirected to the MFA web app for authentication and can change the PIN seamlessly.
-[CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
-
-[MEM-1]: /mem/intune/configuration/settings-catalog
-[MEM-2]: /mem/intune/configuration/custom-settings-windows-10
\ No newline at end of file
+[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
+[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#enablewebsignin
+[INT-2]: /mem/intune/configuration/custom-settings-windows-10
diff --git a/windows/security/images/icons/key.svg b/windows/security/images/icons/key.svg
new file mode 100644
index 0000000000..c9df33c18f
--- /dev/null
+++ b/windows/security/images/icons/key.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file