deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into aljupudi-5358700-branch02

Browse Source
This commit is contained in:
Diana Hanson 2021-09-20 10:56:31 -06:00 committed by GitHub
commit c0e0019c42
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
34 changed files with 1566 additions and 488 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -284,7 +284,7 @@ ms.date: 10/08/2020
- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)
- ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption)
- [ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption)
- [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption)
- [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled)
- [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings)
@ -299,6 +299,9 @@ ms.date: 10/08/2020
- [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2)
- [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1)
- [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2)
- [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane)
- [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane)
- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy)
- [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin)
- [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1)
- [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2)
@ -400,6 +403,7 @@ ms.date: 10/08/2020
- [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2)
- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1)
- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2)
- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall)
- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor)
- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch)
- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness)
@ -421,6 +425,7 @@ ms.date: 10/08/2020
- [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder)
- [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles)
- [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares)
- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy)
- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio)
- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr)
- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin)
@ -1761,4 +1766,4 @@ ms.date: 10/08/2020
## Related topics
[Policy CSP](policy-configuration-service-provider.md)
[Policy CSP](policy-configuration-service-provider.md)

40
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1218,6 +1218,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_FramePanes policies
<dl>
<dd>
<a href="./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane" id="admx-framepanes-noreadingpane">ADMX_FramePanes/NoReadingPane</a>
</dd>
<dd>
<a href="./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane" id="admx-framepanes-nopreviewpane">ADMX_FramePanes/NoPreviewPane</a>
</dd>
<dl>
### ADMX_FTHSVC policies
<dl>
<dd>
<a href="./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy" id="admx-fthsvc-wdiscenarioexecutionpolicy">ADMX_FTHSVC/WdiScenarioExecutionPolicy</a>
</dd>
<dl>
### ADMX_Help policies
<dl>
<dd>
@ -1234,6 +1251,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_HotSpotAuth policies
<dl>
<dd>
<a href="./policy-csp-admx-hotspotauth.md#admx-hotspotauth-hotspotauth_enable" id="admx-hotspotauth-hotspotauth_enable">ADMX_HotSpotAuth/HotspotAuth_Enable</a>
</dd>
</dl>
### ADMX_Globalization policies
<dl>
@ -1545,6 +1569,15 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_IIS policies
<dl>
<dd>
<a href="./policy-csp-admx-iis.md#admx-iis-preventiisinstall
" id="admx-iis-preventiisinstall
">ADMX_IIS/PreventIISInstall</a>
</dd>
<dl>
### ADMX_kdc policies
<dl>
<dd>
@ -1626,6 +1659,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_LeakDiagnostic policies
<dl>
<dd>
<a href="./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy" id="admx-leakdiagnostic-wdiscenarioexecutionpolicy">ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy</a>
</dd>
<dl>
### ADMX_LinkLayerTopologyDiscovery policies
<dl>
<dd>

193
windows/client-management/mdm/policy-csp-admx-framepanes.md Normal file
View File

@ -0,0 +1,193 @@
---
title: Policy CSP - ADMX_FramePanes
description: Policy CSP - ADMX_FramePanes
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_FramePanes
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_FramePanes policies
<dl>
<dd>
<a href="#admx-framepanes-noreadingpane">ADMX_FramePanes/NoReadingPane</a>
</dd>
<dd>
<a href="#admx-framepanes-nopreviewpane">ADMX_FramePanes/NoPreviewPane</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-framepanes-noreadingpane"></a>**ADMX_FramePanes/NoReadingPane**
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting shows or hides the Details Pane in File Explorer.
- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user.
- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user.
> [!NOTE]
> This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time.
- If you disable, or do not configure this policy setting, the Details Pane is hidden by default and can be displayed by the user.
This is the default policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn on or off details pane*
- GP name: *NoReadingPane*
- GP path: *Windows Components\File Explorer\Explorer Frame Pane*
- GP ADMX file name: *FramePanes.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-framepanes-nopreviewpane"></a>**ADMX_FramePanes/NoPreviewPane**
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Hides the Preview Pane in File Explorer.
- If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user.
- If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off Preview Pane*
- GP name: *NoPreviewPane*
- GP path: *Windows Components\File Explorer\Explorer Frame Pane*
- GP ADMX file name: *FramePanes.admx*
<!--/ADMXBacked-->
<!--/Policy-->
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

116
windows/client-management/mdm/policy-csp-admx-fthsvc.md Normal file
View File

@ -0,0 +1,116 @@
---
title: Policy CSP - ADMX_FTHSVC
description: Policy CSP - ADMX_FTHSVC
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/15/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_FTHSVC
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_FTHSVC policies
<dl>
<dd>
<a href="#admx-fthsvc-wdiscenarioexecutionpolicy">ADMX_FTHSVC/WdiScenarioExecutionPolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-fthsvc-wdiscenarioexecutionpolicy"></a>**ADMX_FTHSVC/WdiScenarioExecutionPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems.
- If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems.
- If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS.
If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
No system restart or service restart is required for this policy setting to take effect: changes take effect immediately.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Scenario Execution Level*
- GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Fault Tolerant Heap*
- GP ADMX file name: *FTHSVC.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

115
windows/client-management/mdm/policy-csp-admx-hotspotauth.md Normal file
View File

@ -0,0 +1,115 @@
---
title: Policy CSP - ADMX_HotSpotAuth
description: Policy CSP - ADMX_HotSpotAuth
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/15/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_HotSpotAuth
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_HotSpotAuth policies
<dl>
<dd>
<a href="#admx-hotspotauth-hotspotauth_enable">ADMX_HotSpotAuth/HotspotAuth_Enable</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-hotspotauth-hotspotauth_enable"></a>**ADMX_HotSpotAuth/HotspotAuth_Enable**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support.
- If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network.
- If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators.
- If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support.
- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Hotspot Authentication*
- GP name: *HotspotAuth_Enable*
- GP path: *Network\Hotspot Authentication*
- GP ADMX file name: *HotSpotAuth.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

113
windows/client-management/mdm/policy-csp-admx-iis.md Normal file
View File

@ -0,0 +1,113 @@
---
title: Policy CSP - ADMX_IIS
description: Policy CSP - ADMX_IIS
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/17/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_IIS
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_IIS policies
<dl>
<dd>
<a href="#admx-iis-preventiisinstall">ADMX_IIS/PreventIISInstall</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-iis-preventiisinstall"></a>**ADMX_IIS/PreventIISInstall**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting prevents installation of Internet Information Services (IIS) on this computer.
- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting.
Enabling this setting will not have any effect on IIS if IIS is already installed on the computer.
- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run."
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Prevent IIS installation*
- GP name: *PreventIISInstall*
- GP path: *Windows Components\Internet Information Services*
- GP ADMX file name: *IIS.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

123
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md Normal file
View File

@ -0,0 +1,123 @@
---
title: Policy CSP - ADMX_LeakDiagnostic
description: Policy CSP - ADMX_LeakDiagnostic
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 09/17/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_LeakDiagnostic
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_LeakDiagnostic policies
<dl>
<dd>
<a href="#admx-leakdiagnostic-wdiscenarioexecutionpolicy">ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-leakdiagnostic-wdiscenarioexecutionpolicy"></a>**ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
> [!NOTE]
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure custom alert text*
- GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
- GP ADMX file name: *LeakDiagnostic.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policies-->
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

1125
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

File diff suppressed because it is too large Load Diff

8
windows/client-management/mdm/toc.yml
View File

@ -491,6 +491,10 @@ items:
href: policy-csp-admx-filesys.md
- name: ADMX_FolderRedirection
href: policy-csp-admx-folderredirection.md
- name: ADMX_FramePanes
href: policy-csp-admx-framepanes.md
- name: ADMX_FTHSVC
href: policy-csp-admx-fthsvc.md
- name: ADMX_Globalization
href: policy-csp-admx-globalization.md
- name: ADMX_GroupPolicy
@ -501,6 +505,8 @@ items:
href: policy-csp-admx-helpandsupport.md
- name: ADMX_ICM
href: policy-csp-admx-icm.md
- name: ADMX_IIS
href: policy-csp-admx-iis.md
- name: ADMX_kdc
href: policy-csp-admx-kdc.md
- name: ADMX_Kerberos
@ -509,6 +515,8 @@ items:
href: policy-csp-admx-lanmanserver.md
- name: ADMX_LanmanWorkstation
href: policy-csp-admx-lanmanworkstation.md
- name: ADMX_LeakDiagnostic
href: policy-csp-admx-leakdiagnostic.md
- name: ADMX_LinkLayerTopologyDiscovery
href: policy-csp-admx-linklayertopologydiscovery.md
- name: ADMX_Logon

25
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -1,6 +1,6 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
ms.mktglfcycl: deploy
@ -19,17 +19,19 @@ ms.reviewer:
# Multi-factor Unlock
**Applies to:**
- Windows 10
- Windows 10
- Windows 11
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer
* Windows 10, version 1709 or newer, or Windows 11
* Bluetooth, Bluetooth capable phone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices.
Which organizations can take advantage of Multi-factor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
@ -92,13 +94,13 @@ You represent signal rules in XML. Each signal rule has an starting and ending
```
### Signal element
Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 or later supports the **ipConfig** and **bluetooth** type values.
|Attribute|Value|
|---------|-----|
| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)|
| type| "wifi" (Windows 10, version 1803)
| type| "bluetooth" or "ipConfig" (Windows 10, version 1709) or later|
| type| "wifi" (Windows 10, version 1803 or later)
#### Bluetooth
You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
@ -133,7 +135,7 @@ The **classofDevice** attribute defaults to Phone and uses the values from the f
|Health|2304|
|Uncategorized|7936|
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
@ -220,7 +222,7 @@ The fully qualified domain name of your organization's internal DNS suffix where
#### Wi-Fi
**Applies to:**
- Windows 10, version 1803
- Windows 10, version 1803 or later
You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements.
@ -322,7 +324,7 @@ This example configures the same as example 2 using compounding And elements. T
```
#### Example 4
This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
This example configures Wi-Fi as a trusted signal (Windows 10, version 1803 or later)
```xml
<rule schemaVersion="1.0">
@ -343,11 +345,10 @@ This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
### How to configure Multifactor Unlock policy settings
You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
You need at least a Windows 10, version 1709 or later workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1709 or later.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
### Create the Multifactor Unlock Group Policy object
The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.

4
windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
View File

@ -1,6 +1,6 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device.
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
keywords: identity, Hello, Active Directory, cloud,
ms.prod: w10
ms.mktglfcycl: deploy
@ -20,7 +20,7 @@ ms.reviewer:
## Introduction
When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.

4
windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
View File

@ -20,7 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 10, version 1703 or later, or Windows 11
- Windows Server, versions 2016 or later
- Hybrid or On-Premises deployment
- Key trust
@ -32,7 +32,7 @@ ms.reviewer:
How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged.
Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller.
Windows 10 or Windows 11 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller.
Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding a domain controller that supports public key mapping (in this case Windows Server 2016 or later) to a deployment of existing domain controllers which do not support public key mapping (Windows Server 2008R2, Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:

6
windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
View File

@ -1,5 +1,5 @@
---
title: Windows Hello and password changes (Windows 10)
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.reviewer:
@ -19,7 +19,9 @@ ms.date: 07/27/2017
# Windows Hello and password changes
**Applies to**
- Windows 10
- Windows 10
- Windows 11
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.

6
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -1,5 +1,5 @@
---
title: Windows Hello biometrics in the enterprise (Windows 10)
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
ms.reviewer:
@ -21,7 +21,9 @@ ms.date: 01/12/2021
# Windows Hello biometrics in the enterprise
**Applies to:**
- Windows 10
- Windows 10
- Windows 11
Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.

11
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -1,6 +1,6 @@
---
title: Prepare & Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,11 +16,12 @@ localizationpriority: medium
ms.date: 01/14/2021
ms.reviewer:
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
@ -123,7 +124,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
8. Click **Next** on the **Active Directory Federation Service** page.
9. Click **Install** to start the role installation.
## Review
## Review & validate
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
@ -265,7 +266,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th
3. In the details pane, click **Configure Device Registration**.
4. In the **Configure Device Registration** dialog, click **OK**.
## Review
## Review to validate
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm you followed the correct procedures based on the domain controllers used in your deployment.

18
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
View File

@ -16,15 +16,17 @@ localizationpriority: medium
ms.date: 08/20/2018
ms.reviewer:
---
# Configure Windows Hello for Business Policy settings
# Configure Windows Hello for Business Policy settings - Certificate Trust
**Applies to**
- Windows 10, version 1703 or later
- On-premises deployment
- Certificate trust
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
* Enable Windows Hello for Business
@ -116,9 +118,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
### PIN Complexity
PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
* Require digits
* Require lowercase letters
* Maximum PIN length

9
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
View File

@ -16,13 +16,14 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Validate Active Directory prerequisites
# Validate Active Directory prerequisites for cert-trust deployment
**Applies to**
- Windows 10, version 1703 or later
- On-premises deployment
- Certificate trust
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.

7
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
View File

@ -16,19 +16,20 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Validate and Deploy Multi-factor Authentication (MFA)
# Validate and Deploy Multifactor Authentication (MFA)
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
Windows Hello for Business requires all users perform multifactor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
## Follow the Windows Hello for Business on premises certificate trust deployment guide
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)

12
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
View File

@ -16,12 +16,14 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Validate and Configure Public Key Infrastructure
# Validate and Configure Public Key Infrastructure - Certificate Trust Model
**Applies to**
- Windows 10, version 1703 or later
- On-premises deployment
- Certificate trust
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
@ -94,7 +96,7 @@ The certificate template is configured to supersede all the certificate template
### Configure an Internal Web Server Certificate template
Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Windows 10 or Windows 11 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.

1
windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust

3
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
@ -41,7 +42,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
- Proper name resolution, both internal and external names
- Active Directory and an adequate number of domain controllers per site to support authentication
- Active Directory Certificate Services 2012 or later
- One or more workstation computers running Windows 10, version 1703
- One or more workstation computers running Windows 10, version 1703 or later
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.

7
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -27,16 +27,17 @@ Applies to:
- Azure AD joined deployments
- Windows 10, version 1803 and later
- Windows 11
PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the error message "We can't open that page right now".
### Identifying Azure AD joined PIN Reset Allowed Domains Issue
The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multi-factor authentication.
The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multifactor authentication.
In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
In federated environments authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in "We can't open that page right now".
If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allowlist. This results in "We can't open that page right now".
### Resolving Azure AD joined PIN Reset Allowed Domains Issue

1
windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
View File

@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Key trust

1
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
**Applies To**
- Windows 10, version 1703 or later
- Windows 11
- Hybrid deployment
- Key trust

6
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -1,5 +1,5 @@
---
title: Windows Hello errors during PIN creation (Windows 10)
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
ms.reviewer:
@ -21,7 +21,9 @@ ms.date: 05/05/2018
# Windows Hello errors during PIN creation
**Applies to**
- Windows 10
- Windows 10
- Windows 11
When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.

10
windows/security/identity-protection/hello-for-business/hello-event-300.md
View File

@ -1,5 +1,5 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows 10)
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
ms.reviewer:
@ -21,19 +21,21 @@ ms.date: 07/27/2017
# Event ID 300 - Windows Hello successfully created
**Applies to**
- Windows 10
- Windows 10
- Windows 11
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
## Event details
| **Product:** | Windows 10 operating system |
| **Product:** | Windows 10 or Windows 11 operating system |
|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Log:** | Event Viewer > Applications and Service Logs\Microsoft\Windows\User Device Registration\Admin |
| **ID:** | 300 |
| **Source:** | Microsoft Azure Device Registration Service |
| **Version:** | 10 |
| **Version:** | 10 or 11 |
| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.</br>Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
## Resolve

10
windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
View File

@ -23,7 +23,7 @@ ms.reviewer:
* Hybrid and On-premises Windows Hello for Business deployments
* Enterprise joined or Hybrid Azure joined devices
* Windows 10, version 1709
* Windows 10, version 1709 or later
* Certificate trust
> [!NOTE]
@ -34,12 +34,12 @@ ms.reviewer:
Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
By design, Windows does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
With this setting, administrative users can sign in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
> [!IMPORTANT]
> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
## Configure Windows Hello for Business Dual Enrollment
@ -69,7 +69,7 @@ where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and
### Configuring Dual Enrollment using Group Policy
You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
2. Edit the Group Policy object from step 1.

8
windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
View File

@ -1,6 +1,6 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: w10
ms.mktglfcycl: deploy
@ -21,9 +21,9 @@ ms.reviewer:
**Requirements:**
* Windows 10, version 1703
* Windows 10, version 1703 or later
Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
@ -54,7 +54,7 @@ For this policy setting, the **type** and **scenario** attribute values are stat
|Health|2304|
|Uncategorized|7936|
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.

6
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1709 or later
- Windows 11
Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN.
@ -81,7 +82,7 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch
When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
>[!IMPORTANT]
> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer.
@ -114,7 +115,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
You can configure Windows to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
1. Edit the Group Policy object from Step 1.
@ -188,6 +189,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
**Applies to:**
- Windows 10, version 1803 or later
- Windows 11
- Azure AD joined
The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.

7
windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
**Requirements**
- Windows 10
- Windows 11
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
@ -36,9 +37,9 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
- Biometric enrollments
- Windows 10, version 1809
- Windows 10, version 1809 or later
Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 or later introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
### How does it work
@ -48,7 +49,7 @@ A certificate on a smart card starts with creating an asymmetric key pair using
This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN.
### Compatibility

4
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -18,7 +18,9 @@ ms.reviewer:
# Windows Hello for Business and Authentication
**Applies to:**
- Windows 10
- Windows 10
- Windows 11
Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.<br>
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.<br>

9
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -16,9 +16,10 @@ ms.date: 08/19/2018
ms.reviewer:
---
# Windows Hello for Business Provisioning
<span id="windows-hello-for-business-provisioning" />
<b>Applies to:</b>
- Windows 10
**Applies to:**
- Windows 10
- Windows 11
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
- How the device is joined to Azure Active Directory
@ -48,7 +49,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Azure AD joined provisioning in a Federated environment
![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png)
![Azure AD joined provisioning in Managed environment.](images/howitworks/prov-aadj-federated.png)
| Phase | Description |
| :----: | :----------- |

19
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -19,6 +19,7 @@ ms.reviewer:
**Applies to:**
- Windows 10
- Windows 11
- [Attestation Identity Keys](#attestation-identity-keys)
- [Azure AD Joined](#azure-ad-joined)
@ -44,15 +45,15 @@ ms.reviewer:
<hr>
## Attestation Identity Keys
Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
> [!NOTE]
> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device.
Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
@ -102,7 +103,7 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations
[Return to Top](hello-how-it-works-technology.md)
## Cloud Experience Host
In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
### Related topics
[Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md)
@ -138,7 +139,7 @@ The endorsement key is often accompanied by one or two digital certificates:
- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
### Related topics
[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
@ -279,15 +280,15 @@ The trust type determines how a user authenticates to the Active Directory to ac
A Trusted Platform Module (TPM) is a hardware component that provides unique security features.<br>
Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](../../information-protection/tpm/tpm-recommendations.md).
Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md).
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:

18
windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
View File

@ -1,5 +1,5 @@
---
title: How Windows Hello for Business works (Windows 10)
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,11 +13,13 @@ ms.reviewer:
manager: dansimp
ms.topic: article
---
# How Windows Hello for Business works
# How Windows Hello for Business works in Windows devices
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows 11
- Windows 10 Mobile
Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
@ -30,15 +32,15 @@ A goal of device registration is to allow a user to open a brand-new device, sec
The registration process works like this:
1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users dont have to do anything extra to enable it.
1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 or Windows 11 device automatically sets up Windows Hello on the device; users dont have to do anything extra to enable it.
2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately
The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 or Windows 11 device the user has not previously signed in to.
- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 and Windows 11 device the user has not previously signed in to.
When the user has completed this process, Windows Hello generates a new publicprivate key pair on the device. The TPM generates and protects this private key; if the device doesnt have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. Its associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
@ -46,7 +48,7 @@ At this point, the user has a PIN gesture defined on the device and an associate
## Whats a container?
Youll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the users Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
Youll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the users Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.