From b453bbc412e08bc3ef76fb68b52bd1110f0d4acc Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 14 Sep 2023 09:37:22 -0400
Subject: [PATCH] updates
---
.../identity-protection/web-sign-in/index.md | 64 +++++++++++--------
.../security/includes/sections/identity.md | 2 +-
2 files changed, 39 insertions(+), 27 deletions(-)
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
index 9052879441..105c621741 100644
--- a/windows/security/identity-protection/web-sign-in/index.md
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -11,11 +11,13 @@ ms.collection:
# Web sign-in for Windows devices
-Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable your users to sign-in using a web experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities.
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities.
This feature is called *Web sign-in*.
-Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded.\
-For example, with Web sign-in organizations can move to passwordless sign-in experiences, or enable users to sign-in with a federated identity.
+Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded.\
+For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity.
+
+This article describes how to configure Web sign-in and the supported key scenarios.
## Prerequisites
@@ -38,7 +40,7 @@ To use web sign-in, your devices must be configured with different policies. Rev
| Category | Setting name | Value |
|--|--|--|
| Authentication | Enable Web Sign In | Enabled |
-| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a list of domains, for example:
- `idp.example.com`
- `example.com` |
+| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a list of domains required for sign in, for example:
- `idp.example.com`
- `example.com` |
| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, for example: `example.com` |
[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
@@ -58,7 +60,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
| Path | Setting name | Value |
|--|--|--|
| `Policies/Authentication` | `EnableWebSignIn` | Enabled |
-| `Policies/Authentication` | `ConfigureWebSignInAllowedUrls` | This setting is optional, and it contains a semicolon-separated list of domains, for example: `idp.example.com;example.com` |
+| `Policies/Authentication` | `ConfigureWebSignInAllowedUrls` | This setting is optional, and it contains a semicolon-separated list of domains required for sign in, for example: `idp.example.com;example.com` |
| `Policies/Authentication` | `ConfigureWebCamAccessDomainNames` | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `example.com` |
[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
@@ -76,10 +78,14 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
:::row:::
:::column span="3":::
**Passwordless sign-in**\
- Users can sign in to Windows passwordless, even before enrolling in Windows Hello for Business. For example, by using the Microsoft Authenticator. When used in conjuction with *Windows Hello for Business passworless*, the organization can hide the password credential provider from the lock screen as well as in-session authentication scenarios.
+ Users can sign in to Windows passwordless, even before enrolling in Windows Hello for Business. For example, by using the Microsoft Authenticator app as a sign-in method.
+
+ > [!TIP]
+ > When used in conjuction with *Windows Hello for Business passworless*, you can hide the password credential provider from the lock screen as well as in-session authentication scenarios. This enables a truly passwordless Windows experience.
To learn more:
- [Enable passwordless sign-in with Microsoft Authenticator][AAD-1]
+ - [Passwordless authentication options for Azure Active Directory][AAD-2]
- [Windows Hello for Business passwordless](../hello-for-business/passwordless.md)
:::column-end:::
:::column span="1":::
@@ -89,7 +95,7 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
:::row:::
:::column span="3":::
**Windows Hello for Business PIN reset**\
- The PIN reset flow is seamless and more robust than in previous versions. For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
+ The Windows Hello PIN reset flow is seamless and more robust than in previous versions. For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
:::column-end:::
:::column span="1":::
:::image type="content" source="images/web-sign-in-pin-reset.png" border="false" lightbox="images/web-sign-in-pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
@@ -98,7 +104,12 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
:::row:::
:::column span="3":::
**Temporary Access Pass (TAP)**\
- Users can sign in using a Temporary Access Pass, which is a ...
+ A Temporary Access Pass (TAP) is a time-limited passcode granted by an administrator to a user. Users can sign in with a TAP using the Web sign-in credential provider. Examples of this scenario include:
+ - to onboard Windows Hello for Business or a FIDO2 security key
+ - in case of lost or forgotten FIDO2 security key and unknown password
+
+ To learn more:
+ - [Use a Temporary Access Pass][AAD-3]
:::column-end:::
:::column span="1":::
:::image type="content" source="images/web-sign-in-tap.png" border="false" lightbox="images/web-sign-in-tap.gif" alt-text="Animation of the TAP sign in experience.":::
@@ -119,32 +130,33 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
## Important considerations
-### Known issues affecting student shared devices
+Here's a list of important considerations to keep in mind when configuring Web sign-in:
-The following issues are known to affect Web sign-in:
-
-- Once enabled, the Web sign-in credential provider is the default credential provider for the device. To change the default credential provider, you must use the [Authentication CSP][WIN-4].
-
-You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
-
-To verify:
-- Non-federated users can't sign-in to the devices, including local accounts
-- The *Other user* button is missing from the sign-in screen
+- Cached credentials are not supported. If the device is offline, the user can't use the Web sign-in credential provider to sign in
+- When signing off, the user is not displayed in the user selection list
+- Once enabled, the Web sign-in credential provider is the default credential provider for new users signing in to the device. To change the default credential provider, you can use the [DefaultCredentialProvider][WIN-2] ADMX-backed policy
### Sign in with federated identities
-- To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.
- When using preferred AAD tenant name, the users can select the domain name during the sign-in process and redirected to the identity provider sign-in page.
- For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
-- Disable Windows Hello provisioning
+In case of federated identities, here are some tips to improve the user experience:
-## Troubleshooting
+- Configure the *preferred Azure AD tenant name* feature, which allows users to select the domain name during the sign-in process. The users are then automatically redirected to the identity provider sign-in page. For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-1]
+- Enable Windows Hello for Business. Once the user signs in, the user can enroll in Windows Hello for Business and then use it to sign in to the device
-- The user can exit the web sign-in flow by pressing Ctrl+Alt+Delete to get back to the Windows lock screen
+### Known issues
+
+- If you attempt to sign in while the device is offline, you will receive the following message: *It doesn't look that you're connected to the Internet. Check your connection and try again.*. Selecting the *Back to sign-in* option doesn't bring you back to the lock screen. As a workaround, you can press Ctrl+Alt+Delete to get back to the lock screen.
+
+## Provide feedback
+
+To provide feedback for Windows Hello for Business passwordless experience, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+[AAD-1]: /azure/active-directory/authentication/howto-authentication-passwordless-phone
+[AAD-2]: /azure/active-directory/authentication/concept-authentication-passwordless
+[AAD-3]: /azure/active-directory/authentication/howto-authentication-temporary-access-pass
[INT-1]: /mem/intune/configuration/custom-settings-windows-10
[KB-1]: https://support.microsoft.com/kb/5030310
-[WIN-4]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
-[AAD-1]: /azure/active-directory/authentication/howto-authentication-passwordless-phone
+[WIN-1]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
+[WIN-2]: /windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
index de30e1d815..fb7b1aa702 100644
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@@ -15,7 +15,7 @@ ms.topic: include
| **[Windows Hello for Business passwordless](/windows/security/identity-protection/hello-for-business/passwordless)** | Windows Hello for Business passwordless is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
| **[Passkey](/windows/security/identity-protection/passkey)** | Passkeys provide a more secure and convenient method of logging into websites and applications that support them, compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can be unlocked using Windows Hello (biometrics or a PIN). Passkeys are designed to be used without the need for additional login challenges, making the authentication process faster and more convenient.|
| **[Security key (FIDO2)](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
-| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Authenticator app or with a federated identity. |
+| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |