deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

update to journey documents before final review

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-01-26 15:50:35 -05:00
parent 4bfe5bbfb6
commit c45bca0d9f
10 changed files with 75 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -4,6 +4,7 @@ description: This article is a troubleshooting guide for known Windows Hello for
ms.date: 06/02/2023
ms.topic: troubleshooting
---
# Windows Hello for Business known deployment issues
The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business.

14
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -2,7 +2,7 @@
title: Windows Hello errors during PIN creation
description: When you set up Windows Hello, you may get an error during the Create a work PIN step.
ms.topic: troubleshooting
ms.date: 04/24/2023
ms.date: 01/26/2024
---
# Windows Hello errors during PIN creation
@ -28,12 +28,12 @@ If the error occurs again, check the error code against the following table to s
| Hex | Cause | Mitigation |
| :--------- | :----------------------------------------------------------------- | :------------------------------------------ |
| 0x80090005 | NTE\_BAD\_DATA | Unjoin the device from Microsoft Entra ID and rejoin. |
| 0x80090005 | NTE_BAD_DATA | Unjoin the device from Microsoft Entra ID and rejoin. |
| 0x8009000F | The container or key already exists. | Unjoin the device from Microsoft Entra ID and rejoin. |
| 0x80090011 | The container or key was not found. | Unjoin the device from Microsoft Entra ID and rejoin. |
| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
| 0x8009002A | NTE\_NO\_MEMORY | Close programs which are taking up memory and try again. |
| 0x80090031 | NTE\_AUTHENTICATION\_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
| 0x8009002A | NTE_NO_MEMORY | Close programs which are taking up memory and try again. |
| 0x80090031 | NTE_AUTHENTICATION_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
| 0x80090035 | Policy requires TPM and the device does not have TPM. | Change the Windows Hello for Business policy to not require a TPM. |
| 0x80090036 | User canceled an interactive dialog. | User will be asked to try again. |
| 0x801C0003 | User is not authorized to enroll. | Check if the user has permission to perform the operation. |
@ -53,7 +53,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
| 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Microsoft Entra ID and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
@ -70,9 +70,9 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0X80072F0C | Unknown |
| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.|
| 0x80090010 | NTE_PERM |
| 0x80090020 | NTE\_FAIL |
| 0x80090020 | NTE_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
| 0x8009002D | NTE\_INTERNAL\_ERROR |
| 0x8009002D | NTE_INTERNAL_ERROR |
| 0x801C0001 | ADRS server response is not in a valid format. |
| 0x801C0002 | Server failed to authenticate the user. |
| 0x801C0006 | Unhandled exception from server. |

1
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
View File

@ -4,6 +4,7 @@ description: Learn how to configure single sign-on to on-premises resources for
ms.date: 12/30/2022
ms.topic: how-to
---
# Configure single sign-on for Microsoft Entra joined devices
[!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/exclude-credential-providers-properties.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-exclude-credential-providers.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 506 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-require-smart-card-policy.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 534 KiB

BIN
windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/require-whfb-smart-card-policy.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 103 KiB

2
windows/security/identity-protection/passwordless-strategy/index.md
View File

@ -140,7 +140,7 @@ The journey to password freedom is to take each work persona through each step o
- Awareness campaign and user education
- Include remaining users who fit the work persona
- Validate that **none of the users** of the work personas need passwords
- Configure user accounts to disallow password authentication
- Configure user accounts to prevent password authentication
:::column-end:::
:::row-end:::

18
windows/security/identity-protection/passwordless-strategy/journey-step-2.md
View File

@ -2,7 +2,7 @@
title: Reduce the user-visible password surface area
description: Learn about how to reduce the user-visible password surface area, the second step of the Microsoft passwordless journey.
ms.topic: concept-article
ms.date: 12/13/2023
ms.date: 01/26/2024
---
# Reduce the user-visible password surface area
@ -26,13 +26,13 @@ ms.date: 12/13/2023
Now is the time to learn more about the targeted work persona. You should have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2. Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The goal is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
| :ballot_box_with_check: | Question |
| | Question |
|--|--|
| :black_square_button: | *What's the name of the application that asked for a password?* |
| :black_square_button: | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* |
| :black_square_button: | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* |
| :black_square_button: | *How frequently do you use the application in a given day or week?* |
| :black_square_button: | *Is the password you type into the application the same as the password you use to sign-in to Windows?* |
| **🔲** | *What's the name of the application that asked for a password?* |
| **🔲** | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* |
| **🔲** | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* |
| **🔲** | *How frequently do you use the application in a given day or week?* |
| **🔲** | *Is the password you type into the application the same as the password you use to sign-in to Windows?* |
Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless.
@ -82,7 +82,7 @@ To learn more, see [Windows passwordless experience](../passwordless-experience/
The *Exclude credential providers* policy setting can be used to disable the password credentail provider. When configured, Windows disables the possibility to uyse passwords for *all accounts*, including local accounts. It also prevents the use of passwords for RDP and *Run as* authentication scenarios. This policy setting might impact support scenarios, such as when a user needs to sign in with a local account to troubleshoot a problem. For this reason, carefully evaluate all scenarios before enabling it.
- GPO: **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Exclude credential providers**
- CSP: ``./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/`[ExcludedCredentialProviders](/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders)
- CSP: `./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/`[ExcludedCredentialProviders](/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders)
The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
@ -100,6 +100,6 @@ This stage is the significant moment. You have identified password usage, develo
## Next steps
> [!div class="nextstepaction"]
> Congratulations! You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
> You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
>
> [Step 3: transition into a passwordless deployment >](journey-step-3.md)

75
windows/security/identity-protection/passwordless-strategy/journey-step-3.md
View File

@ -28,6 +28,9 @@ In this last step, you're going to include the remaining users that fit the targ
An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience.
> [!TIP]
> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails).
## Include remaining users that fit the work persona
You've implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment.
@ -38,47 +41,31 @@ You've successfully transitioned all users for the targeted work persona to bein
Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions:
| :ballot_box_with_check: | Question |
| | Question |
|--|--|
| :black_square_button: | *Is the reporting user performing a task outside the work persona?* |
| :black_square_button: | *Is the reported issue affecting the entire work persona, or only specific users?* |
| :black_square_button: | *Is the outage a result of a misconfiguration?* |
| :black_square_button: | *Is the outage an overlooked gap from step 2?* |
| **🔲** | *Is the reporting user performing a task outside the work persona?* |
| **🔲** | *Is the reported issue affecting the entire work persona, or only specific users?* |
| **🔲** | *Is the outage a result of a misconfiguration?* |
| **🔲** | *Is the outage an overlooked gap from step 2?* |
Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process.
Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it.
## Configure user accounts to disallow password authentication
## Configure user accounts to prevent password authentication
You transitioned all the users for the targeted work persona to a passwordless environment and you've successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
You transitioned all the users for the targeted work persona to a passwordless environment and you've successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password.
### Password scrambling
If your users are defined in Active Directory, you can scramble their password to a random value.
While you can't completely remove the password from the user's account, you can prevent the user from using the password to authenticate. The easiest and most effective approach is to set the password to a random value. This approach prevents the user from knowing the password and using it to authenticate, but it allows the user to reset the password whenever needed.
### Password expiration
> [!TIP]
> Enable [Microsoft Entra self-service password reset (SSPR)](/entra/identity/authentication/tutorial-enable-sspr) to allow the users to reset their password. Once implemented, users can sign in to their Windows devices using Windows Hello for Business or a FIDO2 security key, and reset their password from https://aka.ms/sspr. Combine it with [password writeback](/entra/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback) to have the password reset synchronized to your on-premises Active Directory.
The users are effectively password-less because:
If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password.
- They don't know their password
- The user isn't asked to change their password
- Domain controllers don't allow passwords for interactive authentication
#### Prompt user to change password before expiration
Determines how far in advance (in days) users are warned that their password is about to expire. When you set the policy setting to zero, there is no password expiration warning when the user logs on.
- GPO: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Interactive logon: Prompt user to change password before expiration**
- CSP: `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/`[InteractiveLogon_PromptUserToChangePasswordBeforeExpiration](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_promptusertochangepasswordbeforeexpiration)
### Password rotation
### Cloud-only users
If your users are defined in Microsoft Entra ID and not synchronized from Active Directory (cloud-only), you can use the Microsoft Graph API to change the user's password to a random value.
The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId.
The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId agains Microsoft Entra ID.
Modify the **userId** variable of the script to match your environment (first line), and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with a role capable of resetting passwords.
```azurepowershell-interactive
@ -113,3 +100,35 @@ $passwordParams = @{
Reset-MgUserAuthenticationMethodPassword @passwordParams
```
A similar script can be used to reset the password against Active Directory. Modify the **samAccountName** variable of the script to match your environment (first line), and then run it in a PowerShell session.
```PowerShell
$samAccountName = <sAMAccountName of the user>
function Generate-RandomPassword{
[CmdletBinding()]
param (
[int]$Length = 64
)
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{};:,.<>/?\|`~"
$random = New-Object System.Random
$password = ""
for ($i = 0; $i -lt $Length; $i++) {
$index = $random.Next(0, $chars.Length)
$password += $chars[$index]
}
return $password
}
$NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force
Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset
```
### Password rotation
Consider implementing automation to rotate the user's password on a regular basis. This approach ensures that the user's password is always randomized and prevents the user from knowing the password.
## Next steps
Microsoft is working hard to make the passwordless journey easier for you. We're working on new features and capabilities to help you transition to a passwordless environment, and to achieves the long-term security promise of a truly passwordless environment. Check back often to see what's new.