mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 12:23:37 +00:00
updates
This commit is contained in:
Paolo Matarazzo
@ -75,7 +75,8 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
|
|||||||
|
|
||||||
:::row:::
|
:::row:::
|
||||||
:::column span="3":::
|
:::column span="3":::
|
||||||
**Passwordless first sign-in experience**: users can perform the first sign in to Windows passwordless, before enablig Windows Hello for Business. For example, using Microsoft Authenticator in the Web sign-in flow. When used in conjuction with passworless, the organization can hide the password credential provider from the lock screen as well as in-session authentication scenarios. For more information, see [Windows Hello for Business passwordless](../hello-for-business/passwordless.md).
|
**Passwordless first sign-in experience**\
|
||||||
|
Uusers can perform the first sign in to Windows passwordless, before enablig Windows Hello for Business. For example, using Microsoft Authenticator in the Web sign-in flow. When used in conjuction with passworless, the organization can hide the password credential provider from the lock screen as well as in-session authentication scenarios. For more information, see [Windows Hello for Business passwordless](../hello-for-business/passwordless.md).
|
||||||
:::column-end:::
|
:::column-end:::
|
||||||
:::column span="1":::
|
:::column span="1":::
|
||||||
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the Web sign-in experience with Microsoft Authenticator.":::
|
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the Web sign-in experience with Microsoft Authenticator.":::
|
||||||
@ -83,7 +84,8 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
|
|||||||
:::row-end:::
|
:::row-end:::
|
||||||
:::row:::
|
:::row:::
|
||||||
:::column span="3":::
|
:::column span="3":::
|
||||||
**Windows Hello for Business PIN reset**: the PIN reset flow is seamless and more robust than in previous versions. For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
|
**Windows Hello for Business PIN reset**\
|
||||||
|
The PIN reset flow is seamless and more robust than in previous versions. For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
|
||||||
:::column-end:::
|
:::column-end:::
|
||||||
:::column span="1":::
|
:::column span="1":::
|
||||||
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
|
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
|
||||||
@ -91,7 +93,8 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
|
|||||||
:::row-end:::
|
:::row-end:::
|
||||||
:::row:::
|
:::row:::
|
||||||
:::column span="3":::
|
:::column span="3":::
|
||||||
**Temporary Access Pass (TAP)**: users can sign in using a Temporary Access Pass, which is a ...
|
**Temporary Access Pass (TAP)**\
|
||||||
|
Users can sign in using a Temporary Access Pass, which is a ...
|
||||||
:::column-end:::
|
:::column-end:::
|
||||||
:::column span="1":::
|
:::column span="1":::
|
||||||
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the TAP sign in experience.":::
|
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the TAP sign in experience.":::
|
||||||
@ -99,7 +102,8 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
|
|||||||
:::row-end:::
|
:::row-end:::
|
||||||
:::row:::
|
:::row:::
|
||||||
:::column span="3":::
|
:::column span="3":::
|
||||||
**Sign in with a federated identity**: if the Microsoft Entra ID tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign to the Windows devices.
|
**Sign in with a federated identity**\
|
||||||
|
If the Microsoft Entra ID tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign to the Windows devices.
|
||||||
|
|
||||||
> [!TIP]
|
> [!TIP]
|
||||||
> To simplify the sign in experience, configure the preferred tenant policy, as it automatically redirect the sign in prompt to the IdP. For more information, see
|
> To simplify the sign in experience, configure the preferred tenant policy, as it automatically redirect the sign in prompt to the IdP. For more information, see
|
||||||
@ -115,20 +119,24 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
|
|||||||
|
|
||||||
The following issues are known to affect Web sign-in:
|
The following issues are known to affect Web sign-in:
|
||||||
|
|
||||||
|
- Once enabled, the Web sign-in credential provider is the default credential provider for the device. To change the default credential provider, you must use the [Authentication CSP][WIN-4].
|
||||||
|
|
||||||
|
You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
|
||||||
|
|
||||||
|
To verify:
|
||||||
- Non-federated users can't sign-in to the devices, including local accounts
|
- Non-federated users can't sign-in to the devices, including local accounts
|
||||||
- The *Other user* button is missing from the sign-in screen
|
- The *Other user* button is missing from the sign-in screen
|
||||||
|
|
||||||
### Preferred Azure AD tenant name
|
### Sign in with federated identities
|
||||||
|
|
||||||
To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.\
|
|
||||||
When using preferred AAD tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
|
|
||||||
|
|
||||||
|
- To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.
|
||||||
|
When using preferred AAD tenant name, the users can select the domain name during the sign-in process and redirected to the identity provider sign-in page.
|
||||||
For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
|
For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
|
||||||
|
- Disable Windows Hello provisioning
|
||||||
|
|
||||||
## Troubleshooting
|
## Troubleshooting
|
||||||
|
|
||||||
- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen
|
- The user can exit the web sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the Windows lock screen
|
||||||
- Select the *Other User* button, and the standard username/password credentials are available to log into the device
|
|
||||||
|
|
||||||
<!--links-->
|
<!--links-->
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user