From d5bd8dc72fcf2a4253296819f06c04ddc019b865 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 27 Oct 2019 22:21:13 +0100 Subject: [PATCH] WHfB/Key Trust models: PIN reset availability Description: Based on user feedback and author verification, the PIN reset feature in Windows Hello for Business is available in Windows 10 Professional using different key trust models in different deployments depending on the version of Windows 10 (1511, 1703, 1709 and 1903). Thanks to @greytone for noting this issue in ticket #4662 . Changes proposed: - add important Note outlining which Windows 10 version makes the PIN reset feature available and the key trust model to use in each case. The information summary is provided by @jvsam and @mapalko, based on the discussion in the issue ticket page and original user feedback. - add spacing for another important note with MD quote indentation - add spacing for a table quote indentation - remove HTML tag incorrectly showing up in the MarkDown preview Additional notes: PR content and placement of the important note is subject to change, based on feedback from the author and MS Docs team members. issue ticket closure or reference: Closes #4662 --- .../hello-identity-verification.md | 21 ++++++++++++++----- .../hello-planning-guide.md | 12 +++++++++++ 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index f00875d1a2..e29dfc077d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -28,13 +28,24 @@ Windows Hello addresses the following problems with passwords: - Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). - Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). ->[!div class="mx-tdBreakAll"] ->| | | | ->| :---: | :---: | :---: | ->| [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) | +> | | | | +> | :---: | :---: | :---: | +> | [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) | ## Prerequisites +> [!Important] +> 1. Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.
. +> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, version 1709 or later, Enterprise Edition
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> +> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 + ### Cloud Only Deployment * Windows 10, version 1511 or later * Microsoft Azure Account @@ -74,5 +85,5 @@ The table shows the minimum requirements for each deployment. | AD FS with Azure MFA Server, or
AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or
AD FS with 3rd Party MFA Adapter | | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing | ->[!IMPORTANT] +> [!IMPORTANT] > For Windows Hello for Business deployment, if you have several domains, at least one Windows Server Domain Controller 2016 is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers). diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 73d306bba1..0eeba360cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -64,9 +64,21 @@ The hybrid deployment model is for organizations that: * Have identities synchronized to Azure Active Directory using Azure Active Directory Connect * Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources +> [!Important] +> Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.
+> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, version 1709 or later, Enterprise Edition
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 + ##### On-premises The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. +> [!Important] +> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 It’s fundamentally important to understand which deployment model to use for a successful deployment. Some of aspects of the deployment may already be decided for you based on your current infrastructure.