deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

final migrated build

Browse Source
This commit is contained in:
Brian Lich
2016-04-01 14:09:23 -07:00
parent 6fba143fad
commit ae6fcffb07
22 changed files with 3832 additions and 2234 deletions
Download Patch File Download Diff File Expand all files Collapse all files

459
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -29,216 +29,267 @@ The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10.
The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**.
Policy
Options
Use Microsoft Passport for Work
**Not configured**: Users can provision Passport for Work, which encrypts their domain password.
**Enabled**: Device provisions Passport for Work using keys or certificates for all users.
**Disabled**: Device does not provision Passport for Work for any user.
Use a hardware security device
**Not configured**: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
**Enabled**: Passport for Work will only be provisioned using TPM.
**Disabled**: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Use biometrics
**Not configured**: Biometrics can be used as a gesture in place of a PIN.
**Enabled**: Biometrics can be used as a gesture in place of a PIN.
**Disabled**: Only a PIN can be used as a gesture.
PIN Complexity
Require digits
**Not configured**: Users must include a digit in their PIN.
**Enabled**: Users must include a digit in their PIN.
**Disabled**: Users cannot use digits in their PIN.
Require lowercase letters
**Not configured**: Users cannot use lowercase letters in their PIN.
**Enabled**: Users must include at least one lowercase letter in their PIN.
**Disabled**: Users cannot use lowercase letters in their PIN.
Maximum PIN length
**Not configured**: PIN length must be less than or equal to 127.
**Enabled**: PIN length must be less than or equal to the number you specify.
**Disabled**: PIN length must be less than or equal to 127.
Minimum PIN length
**Not configured**: PIN length must be greater than or equal to 4.
**Enabled**: PIN length must be greater than or equal to the number you specify.
**Disabled**: PIN length must be greater than or equal to 4.
Expiration
**Not configured**: PIN does not expire.
**Enabled**: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.
**Disabled**: PIN does not expire.
History
**Not configured**: Previous PINs are not stored.
**Enabled**: Specify the number of previous PINs that can be associated to a user account that can't be reused.
**Disabled**: Previous PINs are not stored.
**Note**  Current PIN is included in PIN history.
 
Require special characters
**Not configured**: Users cannot include a special character in their PIN.
**Enabled**: Users must include at least one special character in their PIN.
**Disabled**: Users cannot include a special character in their PIN.
Require uppercase letters
**Not configured**: Users cannot include an uppercase letter in their PIN.
**Enabled**: Users must include at least one uppercase letter in their PIN.
**Disabled**: Users cannot include an uppercase letter in their PIN.
[Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote)
Use Remote Passport
**Note**  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
**Not configured**: Remote Passport is disabled.
**Enabled**: Users can use a portable, registered device as a companion device for desktop authentication.
**Disabled**: Remote Passport is disabled.
 
<table>
<tr>
<th colspan="2">Policy</th>
<th>Options</th>
</tr>
<tr>
<td>Use Microsoft Passport for Work</td>
<td></td>
<td>
<p><b>Not configured</b>: Users can provision Passport for Work, which encrypts their domain password.</p>
<p><b>Enabled</b>: Device provisions Passport for Work using keys or certificates for all users.</p>
<p><b>Disabled</b>: Device does not provision Passport for Work for any user.</p>
</td>
</tr>
<tr>
<td>Use a hardware security device</td>
<td></td>
<td>
<p><b>Not configured</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
<p><b>Enabled</b>: Passport for Work will only be provisioned using TPM.</p>
<p><b>Disabled</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
</td>
</tr>
<tr>
<td>Use biometrics</td>
<td></td>
<td>
<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN.</p>
<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.</p>
<p><b>Disabled</b>: Only a PIN can be used as a gesture.</p>
</td>
</tr>
<tr>
<td rowspan="8">PIN Complexity</td>
<td>Require digits</td>
<td>
<p><b>Not configured</b>: Users must include a digit in their PIN.</p>
<p><b>Enabled</b>: Users must include a digit in their PIN.</p>
<p><b>Disabled</b>: Users cannot use digits in their PIN.</p>
</td>
</tr>
<tr>
<td>Require lowercase letters</td>
<td>
<p><b>Not configured</b>: Users cannot use lowercase letters in their PIN.</p>
<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.</p>
<p><b>Disabled</b>: Users cannot use lowercase letters in their PIN.</p>
</td>
</tr>
<tr>
<td>Maximum PIN length</td>
<td>
<p><b>Not configured</b>: PIN length must be less than or equal to 127.</p>
<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.</p>
<p><b>Disabled</b>: PIN length must be less than or equal to 127.</p>
</td>
</tr>
<tr>
<td>Minimum PIN length</td>
<td>
<p><b>Not configured</b>: PIN length must be greater than or equal to 4.</p>
<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.</p>
<p><b>Disabled</b>: PIN length must be greater than or equal to 4.</p>
</td>
</tr>
<tr>
<td>Expiration</td>
<td>
<p><b>Not configured</b>: PIN does not expire.</p>
<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.</p>
<p><b>Disabled</b>: PIN does not expire.</p>
</td>
</tr>
<tr>
<td>History</td>
<td>
<p><b>Not configured</b>: Previous PINs are not stored.</p>
<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can't be reused.</p>
<p><b>Disabled</b>: Previous PINs are not stored.</p>
<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>
<div> </div>
</td>
</tr>
<tr>
<td>Require special characters</td>
<td>
<p><b>Not configured</b>: Users cannot include a special character in their PIN.</p>
<p><b>Enabled</b>: Users must include at least one special character in their PIN.</p>
<p><b>Disabled</b>: Users cannot include a special character in their PIN.</p>
</td>
</tr>
<tr>
<td>Require uppercase letters</td>
<td>
<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.</p>
<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.</p>
<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.</p>
</td>
</tr>
<tr>
<td><a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a></td>
<td>
<p>Use Remote Passport</p>
<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
<div> </div>
</td>
<td>
<p><b>Not configured</b>: Remote Passport is disabled.</p>
<p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
<p><b>Disabled</b>: Remote Passport is disabled.</p>
</td>
</tr>
</table>
## MDM policy settings for Passport
The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
Policy
Scope
Default
Options
UsePassportForWork
Device
True
True: Passport will be provisioned for all users on the device.
False: Users will not be able to provision Passport.
**Note**  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.
 
RequireSecurityDevice
Device
False
True: Passport will only be provisioned using TPM.
False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Biometrics
UseBiometrics
Device
False
True: Biometrics can be used as a gesture in place of a PIN for domain logon.
False: Only a PIN can be used as a gesture for domain logon.
FacialFeaturesUser
EnhancedAntiSpoofing
Device
Not configured
Not configured: users can choose whether to turn on enhanced anti-spoofing.
True: Enhanced anti-spoofing is required on devices which support it.
False: Users cannot turn on enhanced anti-spoofing.
PINComplexity
Digits
Device or user
2
1: Numbers are not allowed.
2: At least one number is required.
Lowercase letters
Device or user
1
1: Lowercase letters are not allowed.
2: At least one lowercase letter is required.
Maximum PIN length
Device or user
127
Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.
Minimum PIN length
Device or user
4
Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.
Expiration
Device or user
0
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the users PIN will never expire.
History
Device or user
0
Integer value that specifies the number of past PINs that can be associated to a user account that cant be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
Special characters
Device or user
1
1: Special characters are not allowed.
2: At least one special character is required.
Uppercase letters
Device or user
1
1: Uppercase letters are not allowed
2: At least one uppercase letter is required
Remote
UseRemotePassport
**Note**  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
Device or user
False
True: [Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) is enabled.
False: [Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) is disabled.
 
<table>
<tr>
<th colspan="2">Policy</th>
<th>Scope</th>
<th>Default</th>
<th>Options</th>
</tr>
<tr>
<td>UsePassportForWork</td>
<td></td>
<td>Device</td>
<td>True</td>
<td>
<p>True: Passport will be provisioned for all users on the device.</p>
<p>False: Users will not be able to provision Passport. </p>
<div class="alert"><b>Note</b>  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.</div>
<div> </div>
</td>
</tr>
<tr>
<td>RequireSecurityDevice</td>
<td></td>
<td>Device</td>
<td>False</td>
<td>
<p>True: Passport will only be provisioned using TPM.</p>
<p>False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
</td>
</tr>
<tr>
<td rowspan="2">Biometrics</td>
<td>
<p>UseBiometrics</p>
</td>
<td>Device </td>
<td>False</td>
<td>
<p>True: Biometrics can be used as a gesture in place of a PIN for domain logon.</p>
<p>False: Only a PIN can be used as a gesture for domain logon.</p>
</td>
</tr>
<tr>
<td>
<p>FacialFeaturesUser</p>
<p>EnhancedAntiSpoofing</p>
</td>
<td>Device</td>
<td>Not configured</td>
<td>
<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.</p>
<p>True: Enhanced anti-spoofing is required on devices which support it.</p>
<p>False: Users cannot turn on enhanced anti-spoofing.</p>
</td>
</tr>
<tr>
<td rowspan="9">PINComplexity</td>
</tr>
<tr>
<td>Digits </td>
<td>Device or user</td>
<td>2 </td>
<td>
<p>1: Numbers are not allowed. </p>
<p>2: At least one number is required.</p>
</td>
</tr>
<tr>
<td>Lowercase letters </td>
<td>Device or user</td>
<td>1 </td>
<td>
<p>1: Lowercase letters are not allowed. </p>
<p>2: At least one lowercase letter is required.</p>
</td>
</tr>
<tr>
<td>Maximum PIN length </td>
<td>Device or user</td>
<td>127 </td>
<td>
<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.</p>
</td>
</tr>
<tr>
<td>Minimum PIN length</td>
<td>Device or user</td>
<td>4</td>
<td>
<p>Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.</p>
</td>
</tr>
<tr>
<td>Expiration </td>
<td>Device or user</td>
<td>0</td>
<td>
<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the users PIN will never expire.
</p>
</td>
</tr>
<tr>
<td>History</td>
<td>Device or user</td>
<td>0</td>
<td>
<p>Integer value that specifies the number of past PINs that can be associated to a user account that cant be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
</p>
</td>
</tr>
<tr>
<td>Special characters</td>
<td>Device or user</td>
<td>1</td>
<td>
<p>1: Special characters are not allowed. </p>
<p>2: At least one special character is required.</p>
</td>
</tr>
<tr>
<td>Uppercase letters</td>
<td>Device or user</td>
<td>1</td>
<td>
<p>1: Uppercase letters are not allowed </p>
<p>2: At least one uppercase letter is required</p>
</td>
</tr>
<tr>
<td>Remote</td>
<td>
<p>UseRemotePassport</p>
<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
<div> </div>
</td>
<td>Device or user</td>
<td>False</td>
<td>
<p>True: <a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a> is enabled.</p>
<p>False: <a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a> is disabled.</p>
</td>
</tr>
</table>
**Note**  
If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.