Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20240423-spotlight

This commit is contained in:
Paolo Matarazzo
2024-04-24 11:56:42 -04:00
37 changed files with 685 additions and 860 deletions

View File

@ -229,6 +229,11 @@
"source_path": "education/windows/windows-editions-for-education-customers.md",
"redirect_url": "/education/windows",
"redirect_document_id": false
},
{
"source_path": "education/windows/configure-windows-for-education.md",
"redirect_url": "/education/windows",
"redirect_document_id": false
}
]
}

View File

@ -1,159 +0,0 @@
---
title: Windows 10 configuration recommendations for education customers
description: Learn how to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
ms.topic: how-to
ms.date: 08/10/2022
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Windows 10 configuration recommendations for education customers
Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
| Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S |
| --- | --- | --- | --- | --- | --- |
| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set |
| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set |
| **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set |
| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready </br></br> * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set |
## Recommended configuration
It's easy to be education ready when using Microsoft products. We recommend the following configuration:
1. Use an Office 365 Education tenant.
With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
2. Activate Intune for Education in your tenant.
You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
3. On PCs running Windows 10, version 1703:
1. Provision the PC using one of these methods:
* [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
* [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
2. Join the PC to Microsoft Entra ID.
* Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID.
* Manually Microsoft Entra join the PC during the Windows device setup experience.
3. Enroll the PCs in MDM.
* If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
4. Ensure that needed assistive technology apps can be used.
* If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
4. Distribute the PCs to students.
Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge.
5. Ongoing management through Intune for Education.
You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs.
## Configuring Windows
You can configure Windows through provisioning or management tools including industry standard MDM.
- Provisioning - A one-time setup process.
- Management - A one-time and/or ongoing management of a PC by setting policies.
You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
- [Set up School PCs](use-set-up-school-pcs-app.md)
- [Intune for Education](/intune-education/available-settings)
## AllowCortana
**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana).
> [!NOTE]
> See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings.
Use one of these methods to set this policy.
### MDM
- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
- If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
For example, in Intune, create a new configuration policy and add an OMA-URI.
- OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
- Data type: Integer
- Value: 0
### Group Policy
Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
### Provisioning tools
- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
## SetEduPolicies
**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
Use one of these methods to set this policy.
### MDM
- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
- If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
For example, in Intune, create a new configuration policy and add an OMA-URI.
- OMA-URI: ./Vendor/MSFT/SharedPC/SetEduPolicies
- Data type: Boolean
- Value: true
![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png)
### Group Policy
**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc).
For example:
- Open PowerShell as an administrator and enter the following:
```
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
$sharedPC.SetEduPolicies = $True
Set-CimInstance -CimInstance $sharedPC
Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
```
### Provisioning tools
- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
![Set SetEduPolicies to True in Windows Configuration Designer.](images/wcd/setedupolicies.png)
## Ad-free search with Bing
Provide an ad-free experience that is a safer, more private search option for K12 education institutions in the United States.
### Configurations
<a name='azure-ad-and-office-365-education-tenant'></a>
#### Microsoft Entra ID and Office 365 Education tenant
To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant).
3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC.
> [!NOTE]
> If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
#### Office 365 sign-in to Bing
To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
2. Have students sign into Bing with their Office 365 account.
## Related topics
[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)

Binary file not shown.

Before

Width:  |  Height:  |  Size: 25 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 83 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 60 KiB

View File

@ -32,7 +32,7 @@ You can use Internet Information Services' (IIS) network load balancing (NLB) to
Review the following articles to learn more about configuring IIS and NLB for computers running Windows Server operating systems:
* [Achieving High Availability and Scalability - ARR and NLB](https://www.iis.net/learn/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb) describes how to configure IIS 7.0.
* [Achieving High Availability and Scalability - ARR and NLB](/iis/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb) describes how to configure IIS 7.0.
* [Network load balancing overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831698(v=ws.11)) will tell you more about how to configure Microsoft Windows Server.
@ -88,13 +88,13 @@ Use the following steps to modify the connection string to include ```failover p
3. Modify the **MANAGEMENT\_SQL\_CONNECTION\_STRING** value with the ```failover partner = <server2>``` value.
4. Restart management service using the IIS console.
> [!NOTE]
>Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012](<https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx>) due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
>Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012](/previous-versions/sql/sql-server-2012/ms143729(v=sql.110)) due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
Click any of the following links for more information:
For more information, see the following articles:
* [Prepare a mirror database for mirroring (SQL Server)](/sql/database-engine/database-mirroring/prepare-a-mirror-database-for-mirroring-sql-server).
* [Establish a database mirroring session using Windows Authentication (SQL Server Management Studio)](/sql/database-engine/database-mirroring/establish-database-mirroring-session-windows-authentication).
* [Deprecated database engine features in SQL Server 2012](<https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx>).
* [Deprecated database engine features in SQL Server 2012](/previous-versions/sql/sql-server-2012/ms143729(v=sql.110)).
## Support for Microsoft SQL Server Always On configuration

View File

@ -6,7 +6,9 @@ ms.subservice: windows-copilot
ms.date: 03/21/2024
ms.author: mstewart
author: mestew
ms.collection: windows-copilot
ms.collection:
- windows-copilot
- magic-ai-copilot
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>
---

View File

@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by Group Policy
description: Learn about the policies in Policy CSP supported by Group Policy.
ms.date: 04/10/2024
ms.date: 04/23/2024
---
<!-- Auto-Generated CSP Document -->
@ -871,7 +871,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## WindowsAI
- [TurnOffWindowsCopilot](policy-csp-windowsai.md)
- [DisableAIDataAnalysis](policy-csp-windowsai.md)
## WindowsDefenderSecurityCenter

View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 04/23/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,74 +9,10 @@ ms.date: 01/31/2024
<!-- WindowsAI-Begin -->
# Policy CSP - WindowsAI
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-Editable-End -->
<!-- DisableAIDataAnalysis-Begin -->
## DisableAIDataAnalysis
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to prevent Windows AI from using and analyzing user patterns and data.
- If you enable this policy setting, Windows AI won't be able to take advantage of historical user patterns.
- If you disable or don't configure this policy setting, Windows AI will be able to assist users by considering their historical behaviors and data.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableAIDataAnalysis-Editable-End -->
<!-- DisableAIDataAnalysis-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableAIDataAnalysis-DFProperties-End -->
<!-- DisableAIDataAnalysis-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Enable Data Analysis for Windows AI. |
| 1 | Disable Data Analysis for Windows AI. |
<!-- DisableAIDataAnalysis-AllowedValues-End -->
<!-- DisableAIDataAnalysis-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
<!-- DisableAIDataAnalysis-GpMapping-End -->
<!-- DisableAIDataAnalysis-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableAIDataAnalysis-Examples-End -->
<!-- DisableAIDataAnalysis-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot

View File

@ -1,7 +1,7 @@
---
title: SurfaceHub CSP
description: Learn more about the SurfaceHub CSP.
ms.date: 01/18/2024
ms.date: 04/22/2024
---
<!-- Auto-Generated CSP Document -->
@ -65,6 +65,10 @@ The following list shows the SurfaceHub configuration service provider nodes:
- [MOMAgent](#momagent)
- [WorkspaceID](#momagentworkspaceid)
- [WorkspaceKey](#momagentworkspacekey)
- [MOMAgentGovtCloud](#momagentgovtcloud)
- [AzureCloudIndexGovtCloud](#momagentgovtcloudazurecloudindexgovtcloud)
- [WorkspaceIDGovtCloud](#momagentgovtcloudworkspaceidgovtcloud)
- [WorkspaceKeyGovtCloud](#momagentgovtcloudworkspacekeygovtcloud)
- [Properties](#properties)
- [AllowAutoProxyAuth](#propertiesallowautoproxyauth)
- [AllowSessionResume](#propertiesallowsessionresume)
@ -2011,6 +2015,162 @@ Primary key for authenticating with workspace. Will always return an empty strin
<!-- Device-MOMAgent-WorkspaceKey-End -->
<!-- Device-MOMAgentGovtCloud-Begin -->
## MOMAgentGovtCloud
<!-- Device-MOMAgentGovtCloud-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later |
<!-- Device-MOMAgentGovtCloud-Applicability-End -->
<!-- Device-MOMAgentGovtCloud-OmaUri-Begin -->
```Device
./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud
```
<!-- Device-MOMAgentGovtCloud-OmaUri-End -->
<!-- Device-MOMAgentGovtCloud-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Device-MOMAgentGovtCloud-Description-End -->
<!-- Device-MOMAgentGovtCloud-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MOMAgentGovtCloud-Editable-End -->
<!-- Device-MOMAgentGovtCloud-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- Device-MOMAgentGovtCloud-DFProperties-End -->
<!-- Device-MOMAgentGovtCloud-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MOMAgentGovtCloud-Examples-End -->
<!-- Device-MOMAgentGovtCloud-End -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Begin -->
### MOMAgentGovtCloud/AzureCloudIndexGovtCloud
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later |
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Applicability-End -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-OmaUri-Begin -->
```Device
./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/AzureCloudIndexGovtCloud
```
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-OmaUri-End -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Description-Begin -->
<!-- Description-Source-DDF -->
Enum value for Azure Clouds supported for OMS tracking in SurfaceHub.
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Description-End -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Editable-End -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Get, Replace |
| Default Value | 0 |
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-DFProperties-End -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Examples-End -->
<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Begin -->
### MOMAgentGovtCloud/WorkspaceIDGovtCloud
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later |
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Applicability-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-OmaUri-Begin -->
```Device
./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/WorkspaceIDGovtCloud
```
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-OmaUri-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Description-Begin -->
<!-- Description-Source-DDF -->
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data for Govt Clouds. Set this to an empty string to disable the MOM agent.
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Description-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Editable-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get, Replace |
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-DFProperties-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Examples-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Begin -->
### MOMAgentGovtCloud/WorkspaceKeyGovtCloud
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later |
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Applicability-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-OmaUri-Begin -->
```Device
./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/WorkspaceKeyGovtCloud
```
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-OmaUri-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Description-Begin -->
<!-- Description-Source-DDF -->
Primary key for authenticating with workspace for Govt Clouds. Will always return an empty string.
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Description-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Editable-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get, Replace |
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-DFProperties-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Examples-End -->
<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-End -->
<!-- Device-Properties-Begin -->
## Properties

View File

@ -1,7 +1,7 @@
---
title: SurfaceHub DDF file
description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider.
ms.date: 01/18/2024
ms.date: 04/22/2024
---
<!-- Auto-Generated CSP Document -->
@ -12,11 +12,10 @@ The following XML file contains the device description framework (DDF) for the S
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<MSFT:Diagnostics>
</MSFT:Diagnostics>
<MSFT:Diagnostics />
<Node>
<NodeName>SurfaceHub</NodeName>
<Path>./Vendor/MSFT</Path>
@ -86,8 +85,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -110,8 +108,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -134,8 +131,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -158,8 +154,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -203,8 +198,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -227,8 +221,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -251,8 +244,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -534,8 +526,7 @@ The following XML file contains the device description framework (DDF) for the S
<MSFT:OsBuildVersion>10.0.15063</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
</Node>
@ -611,8 +602,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -753,8 +743,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
</Node>
@ -982,8 +971,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
</Node>
@ -1028,8 +1016,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -1522,8 +1509,7 @@ The following XML file contains the device description framework (DDF) for the S
<MSFT:OsBuildVersion>10.0.15063, 10.0.14393.969</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -1584,8 +1570,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
</Node>
@ -1633,8 +1618,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -1657,8 +1641,99 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MOMAgentGovtCloud</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.19045.4355</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>WorkspaceIDGovtCloud</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data for Govt Clouds. Set this to an empty string to disable the MOM agent.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WorkspaceKeyGovtCloud</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Primary key for authenticating with workspace for Govt Clouds.. Will always return an empty string.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AzureCloudIndexGovtCloud</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Enum value for Azure Clouds supported for OMS tracking in SurfaceHub.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
@ -1702,8 +1777,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -1726,8 +1800,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
</Node>
@ -1754,8 +1827,7 @@ The following XML file contains the device description framework (DDF) for the S
<MSFT:OsBuildVersion>10.0.17134, 10.0.16299.64</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
<Node>
<NodeName>LanProfile</NodeName>
@ -1777,8 +1849,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
<Node>
@ -1801,8 +1872,7 @@ The following XML file contains the device description framework (DDF) for the S
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:AllowedValues ValueType="None" />
</DFProperties>
</Node>
</Node>

View File

@ -1,47 +1,44 @@
---
title: Configure cellular settings for tablets and PCs
description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles.
title: Configure cellular settings
description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles.
ms.topic: concept-article
ms.date: 04/13/2018
ms.date: 04/23/2024
---
# Configure cellular settings for tablets and PCs
# Configure cellular settings
>**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings)
This article describes how to configure cellular settings for devices that have a cellular modem using a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined in the provisioning package, without needing to connect manually.
Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect.
For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling.
For users who work in different locations, you can configure one APN to connect when the users are at work, and a different APN when the users are traveling.
## Prerequisites
- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education)
- Tablet or PC with built-in cellular modem or plug-in USB modem dongle
- Device with built-in cellular modem or plug-in USB modem dongle
- [Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md)
- APN (the address that your PC uses to connect to the Internet when using the cellular data connection)
- APN (the address that the device uses to connect to the Internet when using the cellular data connection)
## How to configure cellular settings in a provisioning package
1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option.
1. Enter a name for your project, and then click **Next**.
1. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
1. Go to **Runtime settings > Connections > EnterpriseAPN**.
1. Enter a name for the connection, and then click **Add**.
1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option
1. Enter a name for your project, and then select **Next**
1. Select **All Windows desktop editions**, select **Next**, and then select **Finish**
1. Go to **Runtime settings > Connections > EnterpriseAPN**
1. Enter a name for the connection, and then select **Add**
![Example of APN connection name.](images/apn-add.png)
1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection
![settings for new connection.](images/apn-add-details.png)
1. The following table describes the settings available for the connection.
1. The following table describes the settings available for the connection
| Setting | Description |
| --- | --- |
| AlwaysOn | By default, the Connection Manager will automatically attempt to connect to the APN when a connection is available. You can disable this setting. |
| AlwaysOn | By default, the Connection Manager automatically attempts to connect to the APN when a connection is available. You can disable the setting. |
| APNName | Enter the name of the APN. |
| AuthType | You can select **None** (the default), or specify **Auto**, **PAP**, **CHAP**, or **MSCHAPv2** authentication. If you select PAP, CHAP, or MSCHAPv2 authentication, you must also enter a user name and password. |
| ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attach APN is not only used as the Internet APN. |
| ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attached APN isn't only used as the Internet APN. |
| Enabled | By default, the connection is enabled. You can change this setting. |
| IccId | This is the Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. |
| IPType | By default, the connection can use IPv4 and IPv6 concurrently. You can change this setting to only IPv4, only IPv6, or IPv6 with IPv4 provided by 46xlat. |
@ -55,22 +52,22 @@ For users who work in different locations, you can configure one APN to connect
## Confirm the settings
After you apply the provisioning package, you can confirm that the settings have been applied.
After you apply the provisioning package, you can confirm that the settings are applied.
1. On the configured device, open a command prompt as an administrator.
1. On the configured device, open a command prompt as an administrator
1. Run the following command:
```cmd
netsh mbn show profiles
```
1. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
1. The command lists the mobile broadband profiles. Using the **Name** for the listed mobile broadband profile, run:
```cmd
netsh mbn show profiles name="name"
```
This command will list details for that profile, including Access Point Name.
This command lists the details for that profile, including Access Point Name.
Alternatively, you can also use the command:
@ -84,4 +81,4 @@ From the results of that command, get the name of the cellular/mobile broadband
netsh mbn show connection interface="name"
```
The result of that command will show details for the cellular interface, including Access Point Name.
The result of that command shows the details for the cellular interface, including Access Point Name.

Binary file not shown.

Before

Width:  |  Height:  |  Size: 94 KiB

After

Width:  |  Height:  |  Size: 47 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 43 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 83 KiB

After

Width:  |  Height:  |  Size: 36 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 89 KiB

After

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 39 KiB

View File

@ -1,18 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 04/11/2024
ms.topic: include
---
### Turn off Windows Copilot
This policy setting allows you to turn off Windows Copilot.
- If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either
- If you disable or don't configure this policy setting, users can use Copilot, if available
| | Path |
|--|--|
| **CSP** | `./User/Vendor/MSFT/Policy/Config/WindowsAI/`[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) |
| **GPO** | **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Copilot** |

View File

@ -49,6 +49,7 @@ Let's review the components of the Windows taskbar by dividing it into three are
1. The system tray, which displays icons like the pen menu, touch keyboard, virtual touchpad, and any application icons that are running in the background like OneDrive, Teams, or antivirus software
1. Quick Actions
1. Calendar
1. Action Center
1. Action center
1. Copilot
@ -73,7 +74,6 @@ Let's review the components of the Windows taskbar by dividing it into two areas
- The system tray, which displays icons like the pen menu, touch keyboard, virtual touchpad, power, network, volume, and any application icons that are running in the background like OneDrive, Teams, or antivirus software
- Calendar
- Action center
- Copilot
:::image type="content" source="images/taskbar-sections-10.png" alt-text="Screenshot of the Windows 11 taskbar with the two areas highlighted." border="false" lightbox="./images/taskbar-sections-10.png":::

View File

@ -37,7 +37,6 @@ Select one of the tabs to see the list of available settings:
|[Show additional calendar](#show-additional-calendar)|❌|✅|
|[Simplify Quick Settings Layout](#simplify-quick-settings-layout)|✅|✅|
|[Turn off automatic promotion of notification icons to the taskbar](#turn-off-automatic-promotion-of-notification-icons-to-the-taskbar)|❌|✅|
|[Turn off Windows Copilot](#turn-off-windows-copilot)|✅|✅|
::: zone-end
@ -62,7 +61,6 @@ Select one of the tabs to see the list of available settings:
|[Show additional calendar](#show-additional-calendar)|❌|✅|
|[Turn off automatic promotion of notification icons to the taskbar](#turn-off-automatic-promotion-of-notification-icons-to-the-taskbar)|❌|✅|
|[Turn off notification area cleanup](#turn-off-notification-area-cleanup)|❌|✅|
|[Turn off Windows Copilot](#turn-off-windows-copilot)|✅|✅|
::: zone-end
@ -109,8 +107,6 @@ Select one of the tabs to see the list of available settings:
[!INCLUDE [turn-off-notification-area-cleanup](includes/turn-off-notification-area-cleanup.md)]
::: zone-end
[!INCLUDE [turn-off-windows-copilot](includes/turn-off-windows-copilot.md)]
#### [:::image type="icon" source="../images/icons/touch.svg"::: **Taskbar behaviors**](#tab/actions)
::: zone pivot="windows-11"

View File

@ -1,6 +1,6 @@
---
title: Windows and cloud security
description: Get an overview of cloud security features in Windows
description: Get an overview of cloud security features in Windows.
ms.date: 08/02/2023
ms.topic: overview
author: paolomatarazzo
@ -9,7 +9,7 @@ ms.author: paoloma
# Windows and cloud security
Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.

View File

@ -2,7 +2,7 @@
title: Configure Windows Hello for Business
description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization.
ms.topic: how-to
ms.date: 01/03/2024
ms.date: 04/23/2024
---
# Configure Windows Hello for Business

View File

@ -1,7 +1,7 @@
---
title: Dynamic lock
description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
ms.date: 02/29/2024
ms.date: 04/23/2024
ms.topic: how-to
---

View File

@ -1,7 +1,7 @@
---
title: Configure single sign-on (SSO) for Microsoft Entra joined devices
description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business.
ms.date: 12/30/2022
ms.date: 04/23/2024
ms.topic: how-to
---
@ -9,7 +9,7 @@ ms.topic: how-to
[!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. As organizations transition resources to the cloud, some resources might remain on-premises, and Microsoft Entra joined devices might need to access them. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
> [!NOTE]
> These steps are not needed when using the cloud Kerberos trust model.
@ -25,14 +25,14 @@ Unlike Microsoft Entra hybrid joined devices, Microsoft Entra joined devices don
### CRL Distribution Point (CDP)
Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\
Certificates issued by a certificate authority can be revoked. When a certificate authority revokes a certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\
During certificate validation, Windows compares the current certificate with information in the CRL to determine if the certificate is valid.
![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
:::image type="content" source="images/aadj/Certificate-CDP.png" alt-text="Screenshot of a certificate's CDP property.":::
The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
In the screenshot, the CDP property of the domain controller certificate shows an LDAP path. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
To resolve this issue, the CRL distribution point must be a location accessible by Microsoft Entra joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
To resolve this issue, the CRL distribution point must be a location accessible by Microsoft Entra joined devices that don't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first, in the list of distribution points.
@ -45,17 +45,18 @@ Certificate authorities write CDP information in certificates as they're issued.
#### Why does Windows need to validate the domain controller certificate?
Windows Hello for Business enforces the strict KDC validation security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
Windows Hello for Business enforces the *strict KDC validation* security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
- The domain controller has the private key for the certificate provided
- The root CA that issued the domain controller's certificate is in the device's *Trusted Root Certificate Authorities*
- Use the *Kerberos Authentication certificate template* instead of any other older template
- The domain controller's certificate has the *KDC Authentication* extended key usage (EKU)
- The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain
- The domain controller's certificate's signature hash algorithm is **sha256**
- The domain controller's certificate's public key is **RSA (2048 Bits)**
- The domain controller's certificate's signature hash algorithm is *sha256*
- The domain controller's certificate's public key is *RSA (2048 Bits)*
Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
> [!IMPORTANT]
> Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
## Configure a CRL distribution point for an issuing CA
@ -118,7 +119,7 @@ These procedures configure NTFS and share permissions on the web server to allow
1. In the **Advanced Sharing** dialog box, select **OK**
> [!Tip]
> Make sure that users can access **\\\Server FQDN\sharename**.
> Make sure that users can access `\\Server FQDN\sharename`.
### Disable Caching
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
@ -216,6 +217,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**
1. Select the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**
1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**
![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
## Deploy the root CA certificate to Microsoft Entra joined devices

View File

@ -1,7 +1,7 @@
---
title: How Windows Hello for Business authentication works
description: Learn about the Windows Hello for Business authentication flows.
ms.date: 01/03/2024
ms.date: 04/23/2024
ms.topic: reference
---
# Windows Hello for Business authentication
@ -19,11 +19,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
|B | The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
|B | The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
@ -31,7 +31,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
| Phase | Description |
| :----: | :----------- |
|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
## Microsoft Entra join authentication to Active Directory using a key
@ -40,9 +40,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
| Phase | Description |
| :----: | :----------- |
|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
> [!NOTE]
> You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
@ -53,9 +53,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
| Phase | Description |
| :----: | :----------- |
|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
|B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
|B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
> [!NOTE]
> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
@ -66,11 +66,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID.
|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP.
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Microsoft Entra hybrid join authentication using a key
@ -78,13 +78,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
> [!IMPORTANT]
> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
@ -95,13 +95,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
> [!IMPORTANT]
> In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.

View File

@ -1,7 +1,7 @@
---
title: How Windows Hello for Business provisioning works
description: Learn about the provisioning flows for Windows Hello for Business.
ms.date: 01/03/2024
ms.date: 04/23/2024
ms.topic: reference
appliesto:
---

View File

@ -1,7 +1,7 @@
---
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help you protect your organization.
ms.date: 01/09/2024
ms.date: 04/23/2024
ms.topic: concept-article
---
@ -78,7 +78,7 @@ All devices included in the Windows Hello for Business deployment must go throug
- For cloud and hybrid deployments, the identity provider is Microsoft Entra ID, and the device registers with the *Device Registration Service*
- For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the *Enterprise Device Registration Service* hosted on AD FS
When a device is registered, the IdP provides the device with an identity that is used to authenticate the device when a user signs-in.
When a device is registered, the IdP provides the device with an identity that is used to authenticate the device when a user signs in.
There are different registration types, which are identified as *join type*. For more information, see [What is a device identity][ENTRA-1].
@ -156,8 +156,8 @@ Access to the key material stored in the container, is enabled only by the PIN o
A container can contain several types of key material:
- An *authentication key*, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key is generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key
- One or multiple *user ID keys*. These keys can be either symmetric or asymmetric, depending on which IdP you use. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the user ID key or key pair can request access. User ID keys are used to sign or encrypt authentication requests or tokens sent from this device to the IdP. User ID keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IdP (which stores it for later verification), and securely stores the private key. For organizatrons, the user ID keys can be generated in two ways:
- The user ID key pair can be associated with an organization's Certificate Authority (CA). This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the organization to store other certificates in the protected container. For example, certificates that allows the user to authenticate via RDP
- One or multiple *user ID keys*. These keys can be either symmetric or asymmetric, depending on which IdP you use. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the user ID key or key pair can request access. User ID keys are used to sign or encrypt authentication requests or tokens sent from this device to the IdP. User ID keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IdP (which stores it for later verification), and securely stores the private key. For organizations, the user ID keys can be generated in two ways:
- The user ID key pair can be associated with an organization's Certificate Authority (CA). This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the organization to store other certificates in the protected container. For example, certificates that allow the user to authenticate via RDP
- The IdP can generate the user ID key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI
User ID keys are used to authenticate the user to a service. For example, by signing a nonce to prove possession of the private key, which corresponds to a registered public key. Users with an Active Directory, Microsoft Entra ID or Microsoft account have a key associated with their account. The key can be used to sign into their Windows device by authenticating to a domain controller (Active Directory scenario), or to the cloud (Microsoft Entra ID and MSA scenarios).

View File

@ -2,7 +2,7 @@
title: Windows Hello for Business overview
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
ms.topic: overview
ms.date: 01/03/2024
ms.date: 04/23/2024
---
# Windows Hello for Business

View File

@ -1,7 +1,7 @@
---
title: Multi-factor unlock
description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals.
ms.date: 01/03/2024
ms.date: 04/23/2024
ms.topic: how-to
---

View File

@ -1,7 +1,7 @@
---
title: PIN reset
description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN, and how to configure it.
ms.date: 01/03/2024
ms.date: 04/23/2024
ms.topic: how-to
---

View File

@ -2,7 +2,7 @@
title: Windows Hello for Business policy settings
description: Learn about the policy settings to configure Configure Windows Hello for Business.
ms.topic: reference
ms.date: 01/03/2024
ms.date: 04/23/2024
---
# Windows Hello for Business policy settings

View File

@ -1,7 +1,7 @@
---
title: Remote Desktop sign-in with Windows Hello for Business
description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
ms.date: 12/11/2023
ms.date: 04/23/2024
ms.topic: how-to
---

View File

@ -1,7 +1,7 @@
---
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
ms.date: 07/27/2023
ms.date: 04/23/2024
ms.topic: how-to
---
# WebAuthn APIs for passwordless authentication on Windows

View File

@ -1,9 +1,10 @@
---
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 12/13/2023
ms.date: 04/23/2024
ms.topic: include
---
> [!NOTE]
> Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), will be deprecated for Microsoft Edge for Business and [will no longer be updated](/windows/whats-new/feature-lifecycle). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities.
> - Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), will be deprecated for Microsoft Edge for Business and [will no longer be updated](/windows/whats-new/feature-lifecycle). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities.
> - Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated [Windows Store app](https://apps.microsoft.com/detail/9N8GNLC8Z9C8) will not be available after May 2024. This affects the following browsers: [*Application Guard Extension - Chrome*](https://chromewebstore.google.com/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj) and [*Application Guard Extension - Firefox*](https://addons.mozilla.org/firefox/addon/application-guard-extension/). If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard).<!--8932292-->

View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 03/25/2024
ms.date: 04/23/2024
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -51,7 +51,7 @@ The features in this article are no longer being actively developed, and might b
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. </br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
| Windows Mixed Reality <!--8412877--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta.Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates.</br> </br>This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. | December 2023 |
| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. </br></br> **[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated [Windows Store app](https://apps.microsoft.com/detail/9N8GNLC8Z9C8) will not be available after May 2024. This affects the following browsers: [*Application Guard Extension - Chrome*](https://chromewebstore.google.com/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj) and [*Application Guard Extension - Firefox*](https://addons.mozilla.org/firefox/addon/application-guard-extension/). If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
| Legacy console mode <!-- 8577271 -->| The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
| Windows speech recognition <!--8396142-->| [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
| Microsoft Defender Application Guard for Office <!--8396036-->| [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |