deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

PM review and signoff

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-08-31 17:23:21 -04:00
parent 8445008d43 e05b0c8a57
commit ccb83b3fd6
311 changed files with 2655 additions and 2346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/credential-guard/additional-mitigations.md
View File

@ -1,5 +1,5 @@
---
ms.date: 08/14/2023
ms.date: 08/31/2023
title: Additional mitigations
description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code.
ms.topic: reference

5
windows/security/identity-protection/credential-guard/configure.md
View File

@ -1,7 +1,7 @@
---
title: Configure Credential Guard
description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
ms.date: 08/14/2023
ms.date: 08/31/2023
ms.collection:
- highpri
- tier2
@ -14,7 +14,8 @@ This article describes how to configure Credential Guard using Microsoft Intune,
## Default enablement
Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Gurad remotely, if needed.\
Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed.
If Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings.
While the default state of Credential Guard changed, system administrators can [enable](#enable-credential-guard) or [disable](#disable-credential-guard) it using one of the methods described in this article.

9
windows/security/identity-protection/credential-guard/considerations-known-issues.md
View File

@ -1,5 +1,5 @@
---
ms.date: 08/16/2023
ms.date: 08/31/2023
title: Considerations and known issues when using Credential Guard
description: Considerations, recommendations and known issues when using Credential Guard.
ms.topic: troubleshooting
@ -11,7 +11,8 @@ It's recommended that in addition to deploying Credential Guard, organizations m
## Wi-fi and VPN considerations
When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\
When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS).
@ -115,13 +116,13 @@ Devices that use 802.1x wireless or wired network, RDP, or VPN connections that
#### Affected devices
Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
> [!TIP]
> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
> If it's' present, the device enables Credential Guard after the update.
> If it's present, the device enables Credential Guard after the update.
>
> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).

2
windows/security/identity-protection/credential-guard/how-it-works.md
View File

@ -1,5 +1,5 @@
---
ms.date: 08/16/2023
ms.date: 08/31/2023
title: How Credential Guard works
description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.topic: conceptual

2
windows/security/identity-protection/credential-guard/index.md
View File

@ -1,7 +1,7 @@
---
title: Credential Guard overview
description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
ms.date: 08/08/2023
ms.date: 08/31/2023
ms.topic: overview
ms.collection:
- highpri

12
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -68,7 +68,9 @@ To register the applications, follow these steps:
:::row-end:::
:::row:::
:::column span="3":::
3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization
3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization.
>[!NOTE]
>After accepance, the redirect page will show a blank page. This is a known behavior.
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true":::
@ -178,7 +180,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
**Applies to:** Azure AD joined devices
PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\
PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *"We can't open that page right now"*.\
If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
@ -196,7 +198,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
| <li> OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` </li><li>Data type: String </li><li>Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**</li>|
> [!NOTE]
> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, *"We can't open that page right now"*. The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
## Use PIN reset
@ -241,5 +243,5 @@ You may find that PIN reset from Settings only works post sign in. Also, the loc
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
[INT-1]: /mem/intune/configuration/settings-catalog
[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&redirect_uri=https%3A%2F%2Fcred.microsoft.com&prompt=admin_consent
[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&prompt=admin_consent
[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent
[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
View File

@ -174,7 +174,7 @@ If you deployed Windows Hello for Business using the key trust model, and want t
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
1. For Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.

2
windows/security/identity-protection/hello-for-business/passwordless-strategy.md
View File

@ -317,7 +317,7 @@ The following image shows the SCRIL setting for a user in Active Directory Admin
> 1. Enable the setting.
> 1. Save changes again.
>
> When you upgrade the domain to Windows Server 2016 domain forest functional level or later, the domain controller automatically does this action for you.
> When you upgrade the domain functional level to Windows Server 2016 or later, the domain controller automatically does this action for you.
The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016: