Merge branch 'main' into patch-4

windows/client-management/mdm/laps-csp.md

@@ -2,14 +2,14 @@
 title: Local Administrator Password Solution CSP
 description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
 ms.author: jsimmons
-ms.topic: article
-ms.prod: w11
-ms.technology: windows
-author: jsimmons
+author: jay98014
+ms.reviewer: vinpa
+manager: aaroncz
+ms.topic: reference
+ms.prod: windows-client
+ms.technology: itpro-manage
 ms.localizationpriority: medium
-ms.date: 07/04/2022
-ms.reviewer: jsimmons
-manager: jsimmons
+ms.date: 09/20/2022
 ---
 
 # Local Administrator Password Solution CSP
@@ -19,6 +19,9 @@ The Local Administrator Password Solution (LAPS) configuration service provider
 > [!IMPORTANT]
 > Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
 
+> [!TIP]
+> This article covers the specific technical details of the LAPS CSP.  For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
+
 The following example shows the LAPS CSP in tree format.
 
 ```xml
@@ -231,7 +234,7 @@ Supported operations are Add, Get, Replace, and Delete.
 <!--Policy-->
 ### PasswordExpirationProtectionEnabled
 <!--Description-->
-Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
+Use this setting to configure enforcement of maximum password age for the managed local administrator account.
 <!--/Description-->
 
 <!--SupportedSKUs-->
@@ -758,3 +761,5 @@ This example is configuring a hybrid device to back up its password to Active Di
 ## Related articles
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
+
+[Windows LAPS](/windows-server/identity/laps/laps)

windows/client-management/mdm/passportforwork-csp.md

@@ -83,7 +83,8 @@ PassportForWork
 -------UseBiometrics
 -------Biometrics
 ----------UseBiometrics
-----------FacialFeatureUse
+----------FacialFeaturesUseEnhancedAntiSpoofing
+----------EnableESSwithSupportedPeripherals
 -------DeviceUnlock
 ----------GroupA
 ----------GroupB
@@ -286,8 +287,6 @@ Boolean value used to enable or disable the use of biometric gestures, such as f
 
 Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
 
-
-
 Supported operations are Add, Get, Delete, and Replace.
 
 *Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
@@ -305,6 +304,26 @@ Supported operations are Add, Get, Delete, and Replace.
 
 *Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
 
+<a href="" id="biometrics-enableESSwithSupportedPeripherals--only-for---device-vendor-msft-"></a>**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT)  
+
+If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected.
+
+If you enable this policy it can have the following possible values:
+
+**0 - Enhanced Sign-in Security Disabled** (not recommended)
+
+Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again. 
+
+**1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security)
+
+Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that Enhanced Sign-in Security does not support, including that of peripheral devices, will be blocked and not available for Windows Hello.
+
+If you disable or do not configure this policy, Enhanced Sign-in Security is preferred on the device. The behavior will be the same as enabling the policy and setting the value to 1.
+
+Supported operations are Add, Get, Delete, and Replace.
+
+*Supported from Windows 11 version 22H2*
+
 <a href="" id="deviceunlock"></a>**DeviceUnlock** (only for ./Device/Vendor/MSFT)  
 Added in Windows 10, version 1803. Interior node.
 
@@ -551,7 +570,7 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
                 <Data>true</Data>
               </Item>
             </Add>
-    <Add>
+            <Add>
               <CmdID>15</CmdID>
               <Item>
                 <Target>
@@ -566,6 +585,21 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
                 <Data>true</Data>
               </Item>
             </Add>
+            <Add>
+              <CmdID>16</CmdID>
+              <Item>
+                <Target>
+                  <LocURI>
+                    ./Vendor/MSFT/PassportForWork/Biometrics/EnableESSwithSupportedPeripherals
+                  </LocURI>
+                </Target>
+                <Meta>
+                  <Format xmlns="syncml:metinf">int</Format>
+                  <Type>text/plain</Type>
+                </Meta>
+                <Data>0</Data>
+              </Item>
+            </Add>
             <Final/> 
           </SyncBody>
         </SyncML>