update to journey documents before final review

windows/security/identity-protection/passwordless-strategy/index.md

@@ -140,7 +140,7 @@ The journey to password freedom is to take each work persona through each step o
 - Awareness campaign and user education
 - Include remaining users who fit the work persona
 - Validate that **none of the users** of the work personas need passwords
-- Configure user accounts to disallow password authentication
+- Configure user accounts to prevent password authentication
    :::column-end:::
 :::row-end:::
 

windows/security/identity-protection/passwordless-strategy/journey-step-2.md

@@ -2,7 +2,7 @@
 title: Reduce the user-visible password surface area
 description: Learn about how to reduce the user-visible password surface area, the second step of the Microsoft passwordless journey.
 ms.topic: concept-article
-ms.date: 12/13/2023
+ms.date: 01/26/2024
 ---
 
 # Reduce the user-visible password surface area
@@ -26,13 +26,13 @@ ms.date: 12/13/2023
 
 Now is the time to learn more about the targeted work persona. You should have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2. Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The goal is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
 
-| :ballot_box_with_check: | Question |
+| | Question |
 |--|--|
-| :black_square_button: | *What's the name of the application that asked for a password?* |
-| :black_square_button: | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* |
-| :black_square_button: | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* |
-| :black_square_button: | *How frequently do you use the application in a given day or week?* |
-| :black_square_button: | *Is the password you type into the application the same as the password you use to sign-in to Windows?* |
+| **🔲** | *What's the name of the application that asked for a password?* |
+| **🔲** | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* |
+| **🔲** | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* |
+| **🔲** | *How frequently do you use the application in a given day or week?* |
+| **🔲** | *Is the password you type into the application the same as the password you use to sign-in to Windows?* |
 
 Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless.
 
@@ -82,7 +82,7 @@ To learn more, see [Windows passwordless experience](../passwordless-experience/
 The *Exclude credential providers* policy setting can be used to disable the password credentail provider. When configured, Windows disables the possibility to uyse passwords for *all accounts*, including local accounts. It also prevents the use of passwords for RDP and *Run as* authentication scenarios. This policy setting might impact support scenarios, such as when a user needs to sign in with a local account to troubleshoot a problem. For this reason, carefully evaluate all scenarios before enabling it.
 
 - GPO: **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Exclude credential providers**
-- CSP: ``./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/`[ExcludedCredentialProviders](/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders)
+- CSP: `./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/`[ExcludedCredentialProviders](/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders)
 
 The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
 
@@ -100,6 +100,6 @@ This stage is the significant moment. You have identified password usage, develo
 ## Next steps
 
 > [!div class="nextstepaction"]
-> Congratulations! You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
+> You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
 >
 > [Step 3: transition into a passwordless deployment >](journey-step-3.md)

windows/security/identity-protection/passwordless-strategy/journey-step-3.md

@@ -28,6 +28,9 @@ In this last step, you're going to include the remaining users that fit the targ
 
 An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain  the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience.
 
+> [!TIP]
+> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails).
+
 ## Include remaining users that fit the work persona
 
 You've implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment.
@@ -38,47 +41,31 @@ You've successfully transitioned all users for the targeted work persona to bein
 
 Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions:
 
-| :ballot_box_with_check: | Question |
+| | Question |
 |--|--|
-| :black_square_button: | *Is the reporting user performing a task outside the work persona?* |
-| :black_square_button: | *Is the reported issue affecting the entire work persona, or only specific users?* |
-| :black_square_button: | *Is the outage a result of a misconfiguration?* |
-| :black_square_button: | *Is the outage an overlooked gap from step 2?* |
+| **🔲** | *Is the reporting user performing a task outside the work persona?* |
+| **🔲** | *Is the reported issue affecting the entire work persona, or only specific users?* |
+| **🔲** | *Is the outage a result of a misconfiguration?* |
+| **🔲** | *Is the outage an overlooked gap from step 2?* |
 
 Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process.
 
 Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it.
 
-## Configure user accounts to disallow password authentication
+## Configure user accounts to prevent password authentication
 
-You transitioned all the users for the targeted work persona to a passwordless environment and you've successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
+You transitioned all the users for the targeted work persona to a passwordless environment and you've successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password.
 
 ### Password scrambling
 
-If your users are defined in Active Directory, you can scramble their password to a random value.
+While you can't completely remove the password from the user's account, you can prevent the user from using the password to authenticate. The easiest and most effective approach is to set the password to a random value. This approach prevents the user from knowing the password and using it to authenticate, but it allows the user to reset the password whenever needed.
 
-### Password expiration
+> [!TIP]
+> Enable [Microsoft Entra self-service password reset (SSPR)](/entra/identity/authentication/tutorial-enable-sspr) to allow the users to reset their password. Once implemented, users can sign in to their Windows devices using Windows Hello for Business or a FIDO2 security key, and reset their password from https://aka.ms/sspr. Combine it with [password writeback](/entra/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback) to have the password reset synchronized to your on-premises Active Directory.
 
-The users are effectively password-less because:
+If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password.
 
-- They don't know their password
-- The user isn't asked to change their password
-- Domain controllers don't allow passwords for interactive authentication
-
-#### Prompt user to change password before expiration
-
-Determines how far in advance (in days) users are warned that their password is about to expire. When you set the policy setting to zero, there is no password expiration warning when the user logs on.
-
-- GPO: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Interactive logon: Prompt user to change password before expiration**
-- CSP: `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/`[InteractiveLogon_PromptUserToChangePasswordBeforeExpiration](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_promptusertochangepasswordbeforeexpiration)
-
-### Password rotation
-
-### Cloud-only users
-
-If your users are defined in Microsoft Entra ID and not synchronized from Active Directory (cloud-only), you can use the Microsoft Graph API to change the user's password to a random value.
-
-The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId.
+The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId agains Microsoft Entra ID.
 Modify the **userId** variable of the script to match your environment (first line), and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with a role capable of resetting passwords.
 
 ```azurepowershell-interactive
@@ -96,7 +83,7 @@ function Generate-RandomPassword{
     $index = $random.Next(0, $chars.Length)
     $password += $chars[$index]
   }
-  return $password  
+  return $password
 }
 
 Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
@@ -113,3 +100,35 @@ $passwordParams = @{
 Reset-MgUserAuthenticationMethodPassword @passwordParams
 ```
 
+A similar script can be used to reset the password against Active Directory. Modify the **samAccountName** variable of the script to match your environment (first line), and then run it in a PowerShell session.
+
+```PowerShell
+$samAccountName = <sAMAccountName of the user>
+
+function Generate-RandomPassword{
+    [CmdletBinding()]
+    param (
+      [int]$Length = 64
+    )
+  $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{};:,.<>/?\|`~"
+  $random = New-Object System.Random
+  $password = ""
+  for ($i = 0; $i -lt $Length; $i++) {
+    $index = $random.Next(0, $chars.Length)
+    $password += $chars[$index]
+  }
+  return $password
+}
+
+$NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force
+
+Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset
+```
+
+### Password rotation
+
+Consider implementing automation to rotate the user's password on a regular basis. This approach ensures that the user's password is always randomized and prevents the user from knowing the password.
+
+## Next steps
+
+Microsoft is working hard to make the passwordless journey easier for you. We're working on new features and capabilities to help you transition to a passwordless environment, and to achieves the long-term security promise of a truly passwordless environment. Check back often to see what's new.