This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.| -| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| -| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.| +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| -## Moving devices between rings +## Moving devices in between deployment rings -If you want to move separate devices to different rings, repeat the following steps for each device: +If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab. + +**To move devices in between deployment rings:** 1. In Microsoft Endpoint Manager, select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. -3. Select the devices you want to assign. All selected devices will be assigned to the ring you specify. +3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 4. Select **Device actions** from the menu. 5. Select **Assign device to ring**. A fly-in opens. -6. Use the dropdown menu to select the ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. +6. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. -When the assignment is complete, the **Ring assigned by** column will change to Admin (indicates that you made the change) and the **Ring** column will show the new ring assignment. +When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. > [!NOTE] -> You can't move devices to other rings if they're in the "error" or "pending" registration state.If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). +> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.
If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). + +## Automated deployment ring remediation functions + +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: + +- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or +- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). + +There are two automated deployment ring remediation functions: + +| Function | Description | +| ----- | ----- | +| **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). | +| **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.| + +> [!IMPORTANT] +> Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index e58e36cbfd..c7c96c2575 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -37,7 +37,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. -To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update ring to control the rollout. There are three primary policies that are used to control Windows quality updates: +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates: | Policy | Description | | ----- | ----- | @@ -48,7 +48,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s > [!IMPORTANT] > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). -Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Update rings](../operate/windows-autopatch-update-management.md#update-rings). +Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). :::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 29d2234dde..54b36ea6ce 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: w11 ms.topic: faq - ms.date: 07/06/2022 + ms.date: 08/08/2022 audience: itpro ms.localizationpriority: medium manager: dougeby @@ -96,9 +96,9 @@ sections: - question: Can you customize the scheduling of an update rollout to only install on certain days and times? answer: | No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - - question: Does Autopatch support include and exclude groups, or dynamic groups to define ring membership? + - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings). + Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 99940fe13f..7ff9f212c0 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -99,6 +99,9 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s Once these actions are complete, you've now successfully enrolled your tenant. +> [!NOTE] +> For more information about changes made to your tenant, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). + ### Delete data collected from the Readiness assessment tool You can choose to delete the data we collect directly within the Readiness assessment tool. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md new file mode 100644 index 0000000000..62a9d46a41 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -0,0 +1,161 @@ +--- +title: Changes made at tenant enrollment +description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch +ms.date: 08/08/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Changes made at tenant enrollment + +## Service principal + +Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: + +- Modern Workplace Customer APIs + +## Azure Active Directory groups + +Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our service accounts. + +| Group name | Description | +| ----- | ----- | +| Modern Workplace-All | All Modern Workplace users | +| Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | +| Modern Workplace Devices-All | All Modern Workplace devices | +| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10
Group Rule:
Group Rule:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Guests|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Can be moved out, but we do not recommend it.|
-|Safe to delegate management of this group to non-Service admins?|No|
-
-
-
-## KRBTGT account
-
-
-The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
-
-KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
-
-Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.
-
-### KRBTGT account maintenance considerations
-
-A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
-
-Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
-
-After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
-
-### Security considerations
-
-It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password.
-
-An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort.
-
-The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected.
-
-For all account types (users, computers, and services)
-
-- All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid.
-
-- All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate.
-
-- NTLM authenticated connections are not affected
-
-Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
-
-> [!IMPORTANT]
-> Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
-
-For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
-
-### Read-only domain controllers and the KRBTGT account
-
-Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
-
-After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.
-
-### KRBTGT account attributes
-
-For details about the KRBTGT account attributes, see the following table.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-` Global groups from any domain in the same forest Other Universal groups from any domain in the same forest|Can be converted to Domain Local scope if the group is not a member of any other Universal groups Can be converted to Global scope if the group does not contain any other Universal groups|On any domain in the same forest or trusting forests|Other Universal groups in the same forest Domain Local groups in the same forest or trusting forests Local groups on computers in the same forest or trusting forests|
-|Global|Accounts from the same domain Other Global groups from the same domain|Can be converted to Universal scope if the group is not a member of any other global group|On any domain in the same forest, or trusting domains or forests|Universal groups from any domain in the same forest Other Global groups from the same domain Domain Local groups from any domain in the same forest, or from any trusting domain|
-|Domain Local|Accounts from any domain or any trusted domain Global groups from any domain or any trusted domain Universal groups from any domain in the same forest Other Domain Local groups from the same domain Accounts, Global groups, and Universal groups from other forests and from external domains|Can be converted to Universal scope if the group does not contain any other Domain Local groups|Within the same domain|Other Domain Local groups from the same domain Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs|
-
-### Special identity groups
-
-Special identities are generally referred to as groups. Special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. Some of these groups include Creator Owner, Batch, and Authenticated User.
-
-For information about all the special identity groups, see [Special Identities](special-identities.md).
-
-## Default security groups
-
-
-Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles.
-
-Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain.
-
-When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group for any shared resources.
-
-Default groups are located in the **Builtin** container and in the **Users** container in Active Directory Users and Computers. The **Builtin** container includes groups that are defined with the Domain Local scope. The **Users** includes contains groups that are defined with Global scope and groups that are defined with Domain Local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains.
-
-Some of the administrative groups that are listed in this topic and all members of these groups are protected by a background process that periodically checks for and applies a specific security descriptor. This descriptor is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings.
-
-The security descriptor is present on the **AdminSDHolder** object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the **AdminSDHolder** object so that it will be applied consistently. Be careful when you make these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts.
-
-### Active Directory default security groups by operating system version
-
-The following tables provide descriptions of the default groups that are located in the **Builtin** and **Users** containers in each operating system.
-
-|Default Security Group|Windows Server 2016|Windows Server 2012 R2|Windows Server 2012|Windows Server 2008 R2|
-|--- |--- |--- |--- |--- |
-|[Access Control Assistance Operators](#bkmk-acasstops)|Yes|Yes|Yes||
-|[Account Operators](#bkmk-accountoperators)|Yes|Yes|Yes|Yes|
-|[Administrators](#bkmk-admins)|Yes|Yes|Yes|Yes|
-|[Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl)|Yes|Yes|Yes|Yes|
-|[Backup Operators](#bkmk-backupoperators)|Yes|Yes|Yes|Yes|
-|[Certificate Service DCOM Access](#bkmk-certificateservicedcomaccess)|Yes|Yes|Yes|Yes|
-|[Cert Publishers](#bkmk-certpublishers)|Yes|Yes|Yes|Yes|
-|[Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers)|Yes|Yes|Yes||
-|[Cryptographic Operators](#bkmk-cryptographicoperators)|Yes|Yes|Yes|Yes|
-|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|Yes|Yes|Yes|Yes|
-|[Device Owners](#bkmk-device-owners)|Yes|Yes|Yes|Yes|
-|[Distributed COM Users](#bkmk-distributedcomusers)|Yes|Yes|Yes|Yes|
-|[DnsUpdateProxy](#bkmk-dnsupdateproxy)|Yes|Yes|Yes|Yes|
-|[DnsAdmins](#bkmk-dnsadmins)|Yes|Yes|Yes|Yes|
-|[Domain Admins](#bkmk-domainadmins)|Yes|Yes|Yes|Yes|
-|[Domain Computers](#bkmk-domaincomputers)|Yes|Yes|Yes|Yes|
-|[Domain Controllers](#bkmk-domaincontrollers)|Yes|Yes|Yes|Yes|
-|[Domain Guests](#bkmk-domainguests)|Yes|Yes|Yes|Yes|
-|[Domain Users](#bkmk-domainusers)|Yes|Yes|Yes|Yes|
-|[Enterprise Admins](#bkmk-entadmins)|Yes|Yes|Yes|Yes|
-|[Enterprise Key Admins](#enterprise-key-admins)|Yes||||
-|[Enterprise Read-only Domain Controllers](#bkmk-entrodc)|Yes|Yes|Yes|Yes|
-|[Event Log Readers](#bkmk-eventlogreaders)|Yes|Yes|Yes|Yes|
-|[Group Policy Creator Owners](#bkmk-gpcreatorsowners)|Yes|Yes|Yes|Yes|
-|[Guests](#bkmk-guests)|Yes|Yes|Yes|Yes|
-|[Hyper-V Administrators](#bkmk-hypervadministrators)|Yes|Yes|Yes||
-|[IIS_IUSRS](#bkmk-iis-iusrs)|Yes|Yes|Yes|Yes|
-|[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)|Yes|Yes|Yes|Yes|
-|[Key Admins](#key-admins)|Yes||||
-|[Network Configuration Operators](#bkmk-networkcfgoperators)|Yes|Yes|Yes|Yes|
-|[Performance Log Users](#bkmk-perflogusers)|Yes|Yes|Yes|Yes|
-|[Performance Monitor Users](#bkmk-perfmonitorusers)|Yes|Yes|Yes|Yes|
-|[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)|Yes|Yes|Yes|Yes|
-|[Print Operators](#bkmk-printoperators)|Yes|Yes|Yes|Yes|
-|[Protected Users](#bkmk-protectedusers)|Yes|Yes|||
-|[RAS and IAS Servers](#bkmk-rasandias)|Yes|Yes|Yes|Yes|
-|[RDS Endpoint Servers](#bkmk-rdsendpointservers)|Yes|Yes|Yes||
-|[RDS Management Servers](#bkmk-rdsmanagementservers)|Yes|Yes|Yes||
-|[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)|Yes|Yes|Yes||
-|[Read-only Domain Controllers](#bkmk-rodc)|Yes|Yes|Yes|Yes|
-|[Remote Desktop Users](#bkmk-remotedesktopusers)|Yes|Yes|Yes|Yes|
-|[Remote Management Users](#bkmk-remotemanagementusers)|Yes|Yes|Yes||
-|[Replicator](#bkmk-replicator)|Yes|Yes|Yes|Yes|
-|[Schema Admins](#bkmk-schemaadmins)|Yes|Yes|Yes|Yes|
-|[Server Operators](#bkmk-serveroperators)|Yes|Yes|Yes|Yes|
-|[Storage Replica Administrators](#storage-replica-administrators)|Yes||||
-|[System Managed Accounts Group](#system-managed-accounts-group)|Yes||||
-|[Terminal Server License Servers](#bkmk-terminalserverlic)|Yes|Yes|Yes|Yes|
-|[Users](#bkmk-users)|Yes|Yes|Yes|Yes|
-|[Windows Authorization Access Group](#bkmk-winauthaccess)|Yes|Yes|Yes|Yes|
-|[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)||Yes|Yes||
-
-### Access Control Assistance Operators
-
-Members of this group can remotely query authorization attributes and permissions for resources on the computer.
-
-The Access Control Assistance Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-579|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Account Operators
-
-The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
-
-Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the [Administrators](#bkmk-admins), [Server Operators](#bkmk-serveroperators), [Account Operators](#bkmk-accountoperators), [Backup Operators](#bkmk-backupoperators), or [Print Operators](#bkmk-printoperators) groups. Members of this group cannot modify user rights.
-
-The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
-
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-548|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight|
-
-
-
-### Administrators
-
-Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.
-
-The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.
-
-Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.
-
-
-
-This security group includes the following changes since Windows Server 2008:
-
-- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services).
-
-- [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-544|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|Administrator, Domain Admins, Enterprise Admins|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege [Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege [Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege [Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege [Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege [Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight [Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege [Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege [Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege [Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege [Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege [Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege|
-
-### Allowed RODC Password Replication Group
-
-The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.
-
-The Allowed RODC Password Replication group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-571|
-|Type|Domain local|
-|Default container|CN=Users DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Backup Operators
-
-Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.
-
-The Backup Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-551|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-
-
-### Certificate Service DCOM Access
-
-Members of this group are allowed to connect to certification authorities in the enterprise.
-
-The Certificate Service DCOM Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-<domain>-574|
-|Type|Domain Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### Cert Publishers
-
-Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.
-
-The Cert Publishers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-517|
-|Type|Domain Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Cloneable Domain Controllers
-
-Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
-
-For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-522|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Cryptographic Operators
-
-Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.
-
-The Cryptographic Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group was introduced in Windows Vista Service Pack 1, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-569|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-
-### Denied RODC Password Replication Group
-
-Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller.
-
-The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication Group supersedes the [Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl).
-
-This security group includes the following changes since Windows Server 2008:
-
-- Windows Server 2012 changed the default members to include [Cert Publishers](#bkmk-certpublishers).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-572|
-|Type|Domain local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|[Cert Publishers](#bkmk-certpublishers) [Domain Admins](#bkmk-domainadmins) [Domain Controllers](#bkmk-domaincontrollers) [Enterprise Admins](#bkmk-entadmins) Group Policy Creator Owners [Read-only Domain Controllers](#bkmk-rodc) [Schema Admins](#bkmk-schemaadmins)|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### Device Owners
-This group is not currently used in Windows.
-
-Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group.
-
-The Device Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-583|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Can be moved out but it is not recommended|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege|
-
-### Distributed COM Users
-
-Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Distributed COM Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-562|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### DnsUpdateProxy
-
-Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.
-
-However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
-
-For information, see [DNS Record Ownership and the DnsUpdateProxy Group](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd334715(v=ws.10)).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### DnsAdmins
-
-Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
-
-For more information about security and DNS, see [DNSSEC in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593694(v=ws.11)).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Builtin Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Domain Admins
-
-Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
-
-The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain.
-
-The Domain Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-512|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Administrators](#bkmk-admins) [Denied RODC Password ReplicationGroup](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Administrators](#bkmk-admins) See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-
-
-### Domain Computers
-
-This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group.
-
-The Domain Computers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-515|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|All computers joined to the domain, excluding domain controllers|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes (but not required)|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Domain Controllers
-
-The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group.
-
-The Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-516|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Computer accounts for all domain controllers of the domain|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|No|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Domain Guests
-
-The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.
-
-The Domain Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-514|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Guest|
-|Default member of|[Guests](#bkmk-guests)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Can be moved out but it is not recommended|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Guests](#bkmk-guests)|
-
-### Domain Users
-
-The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group.
-
-By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer).
-
-The Domain Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-513|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator
-krbtgt|
-|Default member of|[Users](#bkmk-users)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Users](#bkmk-users)|
-
-### Enterprise Admins
-
-The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains.
-
-By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account.
-
-The Enterprise Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-519|
-|Type|Universal (if Domain is in Native-Mode) else Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Administrators](#bkmk-admins)
-[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Administrators](#bkmk-admins) See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Enterprise Key Admins
-
-Members of this group can perform administrative actions on key objects within the forest.
-
-The Enterprise Key Admins group was introduced in Windows Server 2016.
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-21-<domain>-527 |
-| Type | Global |
-| Default container | CN=Users, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | Yes |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-### Enterprise Read-Only Domain Controllers
-
-Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
-
-Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it.
-
-For more information, see [What Is an RODC?](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771030(v=ws.10)).
-
-The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-498|
-|Type|Universal|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Event Log Readers
-
-Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.
-
-The Event Log Readers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-573|
-|Type|Domain Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Group Policy Creator Owners
-
-This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
-
-For information about other features you can use with this security group, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
-
-The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-520|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|No|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Guests
-
-Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account.
-
-When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the **%userprofile%** directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting **Do not logon users with temporary profiles** when it is enabled. This setting is located under the following path:
-
-Computer Configuration\\Administrative Templates\\System\\User Profiles
-
-> [!NOTE]
-> A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
-
-The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled.
-
-The Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-546|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|[Domain Guests](#bkmk-domainguests)|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-
-### Hyper-V Administrators
-
-Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
-
-> [!NOTE]
-> Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
-
-
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-578|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### IIS\_IUSRS
-
-IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS.
-
-For more information, see [Understanding Built-In User and Group Accounts in IIS 7](/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-568|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|IUSR|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Incoming Forest Trust Builders
-
-Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account.
-
-To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-
-For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)).
-
-The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-557|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Key Admins
-
-Members of this group can perform administrative actions on key objects within the domain.
-
-The Key Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-21-<domain>-526 |
-| Type | Global |
-| Default container | CN=Users, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | Yes |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### Network Configuration Operators
-
-Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features:
-
-- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers.
-
-- Rename the LAN connections or remote access connections that are available to all the users.
-
-- Enable or disable a LAN connection.
-
-- Modify the properties of all of remote access connections of users.
-
-- Delete all the remote access connections of users.
-
-- Rename all the remote access connections of users.
-
-- Issue **ipconfig**, **ipconfig /release**, or **ipconfig /renew** commands.
-
-- Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-556|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Performance Log Users
-
-Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group:
-
-- Can use all the features that are available to the Performance Monitor Users group.
-
-- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right.
-
- > [!WARNING]
- > If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
-
- > [!NOTE]
- > In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log Users group.
- > If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot complete creation because access will be denied.
-
-- Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
-
-For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This account cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-559|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight|
-
-
-
-### Performance Monitor Users
-
-Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways.
-
-Specifically, members of this security group:
-
-- Can use all the features that are available to the Users group.
-
-- Can view real-time performance data in Performance Monitor.
-
- Can change the Performance Monitor display properties while viewing data.
-
-- Cannot create or modify Data Collector Sets.
-
- > [!WARNING]
- > You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
-
-
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
-
-
-
-The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-558|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-
-### Pre–Windows 2000 Compatible Access
-
-Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.
-
-> [!WARNING]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-554|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|If you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members.|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
-
-
-
-### Print Operators
-
-Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.
-
-This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.
-
-The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj190062(v=ws.11)).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-550|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-### Protected Users
-
-Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes.
-
-This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group.
-
-This domain-related, global group triggers non-configurable protection on devices and host computers, starting with the Windows Server 2012 R2 and Windows 8.1 operating systems. It also triggers non-configurable protection on domain controllers in domains with a primary domain controller running Windows Server 2012 R2 or Windows Server 2016. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.
-
-Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.
-
-- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1 or Windows 10, so the device fails to authenticate to a domain when the account is a member of the Protected User group.
-
-- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite.
-
-- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
-
-- The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again.
-
-The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)).
-
-The following table specifies the properties of the Protected Users group.
-
-|Attribute|Value|
-|--- |--- |
-|Well-known SID/RID|S-1-5-21-<domain>-525|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-service admins?|No|
-|Default user rights|None|
-
-### RAS and IAS Servers
-
-Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
-
-The RAS and IAS Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-553|
-|Type|Builtin Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### RDS Endpoint Servers
-
-Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
-
-For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-576|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### RDS Management Servers
-
-Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-577|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### RDS Remote Access Servers
-
-Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group.
-
-For more information, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-575|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Read-Only Domain Controllers
-
-This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
-
-Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
-
-- Read-only AD DS database
-
-- Unidirectional replication
-
-- Credential caching
-
-- Administrator role separation
-
-- Read-only Domain Name System (DNS)
-
-For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754719(v=ws.10)).
-
-This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-521|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Remote Desktop Users
-
-The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-555|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-
-
-
-### Remote Management Users
-
-Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
-
-The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands.
-
-For more information, see [What's New in MI?](/previous-versions/windows/desktop/wmi_v2/what-s-new-in-mi) and [About WMI](/windows/win32/wmisdk/about-wmi).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-580|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Replicator
-
-Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.
-
-> [!WARNING]
-> In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
-
-However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
-
-- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](/windows/win32/win7appqual/file-replication-service--frs--is-deprecated-in-windows-server-2008-r2)
-- [DFS Namespaces and DFS Replication Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127250(v=ws.11))
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-552|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Schema Admins
-
-Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode.
-
-The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema.
-
-The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory.
-
-For more information, see [What Is the Active Directory Schema?: Active Directory](/previous-versions/windows/it-pro/windows-server-2003/cc784826(v=ws.10)).
-
-The Schema Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-518|
-|Type|Universal (if Domain is in Native-Mode) else Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Server Operators
-
-Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
-
-By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
-
-The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-549|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-### Storage Replica Administrators
-
-Members of this group have complete and unrestricted access to all features of Storage Replica.
-
-The Storage Replica Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-32-582 |
-| Type | Builtin Local |
-| Default container | CN=BuiltIn, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### System Managed Accounts Group
-
-Members of this group are managed by the system.
-
-The System Managed Accounts group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-32-581 |
-| Type | Builtin Local |
-| Default container | CN=BuiltIn, DC=<domain>, DC= |
-| Default members | Users |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### Terminal Server License Servers
-
-Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-For more information about this security group, see [Terminal Services License Server Security Group Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775331(v=ws.10)).
-
-The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-
-This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services was replaced by Remote Desktop Services in Windows Server 2008 R2.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-561|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Safe to move out of default container?|Cannot be moved|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Users
-
-Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
-
-Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved.
-
-The Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group includes the following changes since Windows Server 2008:
-
-- In Windows Server 2008 R2, INTERACTIVE was added to the default members list.
-
-- In Windows Server 2012, the default **Member Of** list changed from Domain Users to none.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-545|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|Authenticated Users [Domain Users](#bkmk-domainusers) INTERACTIVE|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Windows Authorization Access Group
-
-Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-560|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|Enterprise Domain Controllers|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default user rights|None|
-
-### WinRMRemoteWMIUsers\_
-
-In Windows 8 and in Windows Server 2012, a **Share** tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.
-
-The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-- If the file share is hosted on a server that is running a supported version of the operating system:
-
- - You must be a member of the WinRMRemoteWMIUsers\_\_ group or the BUILTIN\\Administrators group.
-
- - You must have Read permissions to the file share.
-
-- If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012:
-
- - You must be a member of the BUILTIN\\Administrators group.
-
- - You must have Read permissions to the file share.
-
-In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions.
-
-> [!NOTE]
-> The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
-
-
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Domain local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-## See also
-
-- [Security Principals](security-principals.md)
-
-- [Special Identities](special-identities.md)
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
deleted file mode 100644
index b19feb4975..0000000000
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: Dynamic Access Control Overview (Windows 10)
-description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-ms.reviewer:
----
-
-# Dynamic Access Control Overview
-
-**Applies to**
-- Windows Server 2016
-
-This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
-
-Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
-
-For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview).
-
-Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.
-
-Features and concepts associated with Dynamic Access Control include:
-
-- [Central access rules](#bkmk-rules)
-
-- [Central access policies](#bkmk-policies)
-
-- [Claims](#bkmk-claims)
-
-- [Expressions](#bkmk-expressions2)
-
-- [Proposed permissions](#bkmk-permissions2)
-
-### Central access rules
-
-A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy.
-
-If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements.
-
-### Central access policies
-
-Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to:
-
-- Identify and mark the files that contain the PII.
-
-- Identify the group of HR members who are allowed to view the PII information.
-
-- Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization.
-
-Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders.
-
-### Claims
-
-A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:
-
-- **User claims** Active Directory attributes that are associated with a specific user.
-
-- **Device claims** Active Directory attributes that are associated with a specific computer object.
-
-- **Resource attributes** Global resource properties that are marked for use in authorization decisions and published in Active Directory.
-
-Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.
-
-### Expressions
-
-Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).
-
-Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments.
-
-### Proposed permissions
-
-Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.
-
-Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes.
-
-## Additional changes
-
-
-Additional enhancements in the supported versions of Windows that support Dynamic Access Control include:
-
-### Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups.
-
-By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control.
-
-### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.
-
-Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**.
-
-### Support in Active Directory to store user and device claims, resource properties, and central access policy objects.
-
-### Support for using Group Policy to deploy central access policy objects.
-
-The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: **Computer Configuration\\Policies\\ Windows Settings\\Security Settings\\File System\\Central Access Policy**.
-
-### Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing
-
-You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under **Advanced Audit Policy Configuration** in the **Security Settings** of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network.
-
-### Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts
-
-You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims:
-
-- **Value-based filtering** Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest.
-
-- **Claim type-based filtering** Filters are based on the type of claim, rather than the value of the claim. You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest.
-
-- **Claim type-based transformation** Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both.
-
-## Software requirements
-
-
-Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices must use domain controllers in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions:
-
-- Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server.
-
-- Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control.
-
-For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows:
-
-- **Always provide claims** Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.
-
-- **Supported** When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control.
-
-If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level.
-
-If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests.
-
-If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level.
-
-A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
-
-## See also
-
-- [Access control overview](access-control.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
deleted file mode 100644
index 7d9575a8f4..0000000000
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ /dev/null
@@ -1,186 +0,0 @@
----
-title: Microsoft Accounts (Windows 10)
-description: Microsoft Accounts
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-ms.reviewer:
----
-
-# Microsoft Accounts
-
-**Applies to**
-- Windows 10
-
-This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
-
-Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
-
-When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
-
-## How a Microsoft account works
-
-The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Microsoft Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
-
-When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
-
-**Important**
-Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
-
-### How Microsoft accounts are created
-
-To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped.
-
-Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.
-
-There are two methods for creating a Microsoft account:
-
-- **Use an existing email address**.
-
- Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords.
-
-- **Sign up for a Microsoft email address**.
-
- Users can sign up for an email account with Microsoft's webmail services. This account can be used to sign in to websites that are enabled to use Microsoft accounts.
-
-### How the Microsoft account information is safeguarded
-
-Credential information is encrypted twice. The first encryption is based on the account’s password. Credentials are encrypted again when they are sent across the Internet. The data that is stored is not available to other Microsoft or non-Microsoft services.
-
-- **Strong password is required**.
-
- Blank passwords are not allowed.
-
- For more information, see [How to help keep your Microsoft account safe and secure](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-safe-and-secure-628538c2-7006-33bb-5ef4-c917657362b9).
-
-- **Secondary proof of identity is required**.
-
- Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings.
-
-- **All user profile data is encrypted on the client before it is transmitted to the cloud**.
-
- User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. All data and settings that leave a device are transmitted through the TLS/SSL protocol.
-
-**Microsoft account security information is added**.
-
-Users can add security information to their Microsoft accounts through the **Accounts** interface on computers running the supported versions of Windows. This feature allows the user to update the security information that they provided when they created their accounts. This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date.
-
-## The Microsoft account in the enterprise
-
-
-Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages.
-
-- **Download Microsoft Store apps**:
-
- If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
-
-- **Single sign-on**:
-
- Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions.
-
-- **Personalized settings synchronization**:
-
- Users can associate their most commonly used operating-system settings with a Microsoft account. These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device.
-
-- **App synchronization**:
-
- Microsoft Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
-
-- **Integrated social media services**:
-
- Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.
-
-### Managing the Microsoft account in the domain
-
-Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. You should address the following considerations before you allow the use of these account types in your enterprise:
-
-- [Restrict the use of the Microsoft account](#bkmk-restrictuse)
-
-- [Configure connected accounts](#bkmk-cfgconnectedaccounts)
-
-- [Provision Microsoft accounts in the enterprise](#bkmk-provisionaccounts)
-
-- [Audit account activity](#bkmk-audit)
-
-- [Perform password resets](#bkmk-passwordresets)
-
-- [Restrict app installation and usage](#bkmk-restrictappinstallationandusage)
-
-### Restrict the use of the Microsoft account
-
-The following Group Policy settings help control the use of Microsoft accounts in the enterprise:
-
-- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication)
-- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts)
-
-#### Block all consumer Microsoft account user authentication
-
-This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
-
-If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
-This applies both to existing users of a device and new users who may be added.
-
-However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
-It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
-
-If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
-By default, this setting is **Disabled**.
-
-This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
-
-The path to this setting is:
-
-Computer Configuration\Administrative Templates\Windows Components\Microsoft account
-
-#### Accounts: Block Microsoft accounts
-
-This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
-
-There are two options if this setting is enabled:
-
-- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
-- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
-
-This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).
-
-By default, this setting is **Not defined**.
-
-The path to this setting is:
-
-Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
-
-### Configure connected accounts
-
-Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices.
-
-Users can disconnect a Microsoft account from their domain account at any time as follows: In **PC settings**, tap or click **Users**, tap or click **Disconnect**, and then tap or click **Finish**.
-
-**Note**
-Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
-
-### Provision Microsoft accounts in the enterprise
-
-Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.
-
-### Audit account activity
-
-Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. But this association does not restrict the user from disconnecting the account or disjoining from the domain. It is not possible to audit the activity of accounts that are not associated with your domain.
-
-### Perform password resets
-
-Only the owner of the Microsoft account can change the password. Passwords can be changed in the [Microsoft account sign-in portal](https://login.live.com).
-
-### Restrict app installation and usage
-
-Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker).
-
-## See also
-
-- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj884082(v=ws.11))
-
-- [Access Control Overview](access-control.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
deleted file mode 100644
index eebc241c56..0000000000
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ /dev/null
@@ -1,331 +0,0 @@
----
-title: Security identifiers (Windows 10)
-description: Security identifiers
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection:
- - M365-identity-device-management
- - highpri
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
----
-
-# Security identifiers
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
-This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
-
-## What are security identifiers?
-
-A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.
-
-Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group.
-
-Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
-
-In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems.
-
-SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
-
-The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic.
-
-## How security identifiers work
-
-Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused.
-
-The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services.
-
-For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise.
-
-SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals.
-
-## Security identifier architecture
-
-A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
-
-
-
-The individual values of a SID are described in the following table.
-
-| Comment | Description |
-| - | - |
-| Revision | Indicates the version of the SID structure that is used in a particular SID. |
-| Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). |
-| Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. |
-
-The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation:
-```
-S-R-X-Y1-Y2-Yn-1-Yn
-```
-
-In this notation, the components of a SID are represented as shown in the following table.
-
-| Comment | Description |
-| - | - |
-| S | Indicates that the string is a SID |
-| R | Indicates the revision level |
-| X | Indicates the identifier authority value |
-| Y | Represents a series of subauthority values, where *n* is the number of values |
-
-The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Y*n*-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier.
-
-The last item in the series of subauthority values (-Y*n*) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier.
-
-For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:
-
-```
-S-1-5-32-544
-```
-
-This SID has four components:
-
-- A revision level (1)
-
-- An identifier authority value (5, NT Authority)
-
-- A domain identifier (32, Builtin)
-
-- A relative identifier (544, Administrators)
-
-SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain **Builtin**, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one.
-
-Built-in accounts and groups need to be distinguished from one another within the scope of the **Builtin** domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the **Builtin** domain has a SID with a final value of 544.
-
-In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\\Domain Admins):
-
-```
-S-1-5-21-1004336348-1177238915-682003330-512
-```
-
-The SID for Contoso\\Domain Admins has:
-
-- A revision level (1)
-
-- An identifier authority (5, NT Authority)
-
-- A domain identifier (21-1004336348-1177238915-682003330, Contoso)
-
-- A relative identifier (512, Domain Admins)
-
-The SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512.
-
-## Relative identifier allocation
-
-When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again.
-
-In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.
-
-The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master.
-
-Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier.
-
-## Security identifiers and globally unique identifiers
-
-When a new domain user or group account is created, Active Directory stores the account's SID in the **ObjectSID** property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its **ObjectGUID** property.
-
-Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by **ObjectGUID** might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the **ObjectGUID** property never changes. When an object is assigned a GUID, it keeps that value for life.
-
-If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes.
-
-When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the **ObjectSID** property. Before the new value is written to the property, the previous value is copied to another property of a User object, **SIDHistory**. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the **ObjectSID** property, and another value is added to the list of old SIDs in **SIDHistory**. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in **SIDHistory**), can allow or deny the user access.
-
-If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others.
-
-However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The **SIDHistory** property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID.
-
-## Well-known SIDs
-
-The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups.
-
-There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems.
-
-The following table lists the universal well-known SIDs.
-
-| Value | Universal Well-Known SID | Identifies |
-| - | - | - |
-| S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known.|
-| S-1-1-0 | World | A group that includes all users. |
-| S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. |
-| S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. |
-| S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
-| S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
-| S-1-3-2 | Creator Owner Server | |
-| S-1-3-3 | Creator Group Server | |
-| S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. |
-| S-1-4 | Non-unique Authority | A SID that represents an identifier authority. |
-| S-1-5 | NT Authority | A SID that represents an identifier authority. |
-| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.|
-
-The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list.
-
-| Identifier Authority | Value | SID String Prefix |
-| - | - | - |
-| SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 |
-| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
-| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
-| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
-| SECURITY_NT_AUTHORITY | 5 | S-1-5 |
-| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 |
-
-The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
-
-| Relative Identifier Authority | Value | Identifier Authority |
-| - | - | - |
-| SECURITY_NULL_RID | 0 | S-1-0 |
-| SECURITY_WORLD_RID | 0 | S-1-1 |
-| SECURITY_LOCAL_RID | 0 | S-1-2 |
-| SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 |
-| SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 |
-
-The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. The following table lists the well-known SIDs.
-
-| SID | Display Name | Description |
-| - | - | - |
-| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.|
-| S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.|
-| S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. |
-| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.|
-| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.|
-| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.|
-| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.|
-| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.|
-| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).|
-|Account is disabled|Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.|
-|Smart card is required for interactive logon|Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.
When this attribute is applied on the account, the effect is as follows:
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
-| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
-| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
-| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|
-| S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
This group includes authenticated security principals from any trusted domain, not only the current domain.|
-| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.|
-| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
-| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
-| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
-| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.|
-| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
-| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
-| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
-| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.|
-| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.|
-| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.|
-| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.|
-| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.|
-| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.|
-| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.|
-| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.|
-| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.|
-| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.|
-| S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. |
-| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.|
-| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.|
-| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.|
-| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
-| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.|
-| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
-| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.|
-| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.|
-| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.|
-| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.|
-| S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.|
-|S-1-5-32-554|Builtin\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility group that allows read access on all users and groups in the domain.|
-|S-1-5-32-555|Builtin\Remote Desktop Users|An alias. Members in this group are granted the right to log on remotely.|
-|S-1-5-32-556|Builtin\Network Configuration Operators|An alias. Members in this group can have some administrative privileges to manage configuration of networking features.|
-|S-1-5-32-557|Builtin\Incoming Forest Trust Builders|An alias. Members of this group can create incoming, one-way trusts to this forest.|
-|S-1-5-32-558|Builtin\Performance Monitor Users|An alias. Members of this group have remote access to monitor this computer.|
-|S-1-5-32-559|Builtin\Performance Log Users|An alias. Members of this group have remote access to schedule logging of performance counters on this computer.|
-|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.|
-|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.|
-|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.|
-|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.|
-|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.|
-|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.|
-|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.|
-|S-1-5-32-575|Builtin\RDS Remote Access Servers|A built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.|
-|S-1-5-32-576|Builtin\RDS Endpoint Servers|A built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.|
-|S-1-5-32-577|Builtin\RDS Management Servers|A builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.|
-|S-1-5-32-578|Builtin\Hyper-V Administrators|A built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.|
-|S-1-5-32-579|Builtin\Access Control Assistance Operators|A built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.|
-|S-1-5-32-580|Builtin\Remote Management Users|A built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.|
-| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client|
-| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.|
-| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.|
-| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
-| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
-| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
-
-The following RIDs are relative to each domain.
-
-| RID |Decimal value| Identifies |
-| - | - | - |
-| DOMAIN_USER_RID_ADMIN | 500 | The administrative user account in a domain. |
-| DOMAIN_USER_RID_GUEST| 501 | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.|
-| DOMAIN_GROUP_RID_USERS | 513 | A group that contains all user accounts in a domain. All users are automatically added to this group.|
-| DOMAIN_GROUP_RID_GUESTS | 514 | The group Guest account in a domain.|
-| DOMAIN_GROUP_RID_COMPUTERS | 515 | The Domain Computer group. All computers in the domain are members of this group.|
-| DOMAIN_GROUP_RID_CONTROLLERS | 516 | The Domain Controller group. All domain controllers in the domain are members of this group.|
-| DOMAIN_GROUP_RID_CERT_ADMINS | 517 | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.|
-| DOMAIN_GROUP_RID_SCHEMA_ADMINS | 518 | The schema administrators' group. Members of this group can modify the Active Directory schema.|
-| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | 519 | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.|
-| DOMAIN_GROUP_RID_POLICY_ADMINS| 520 | The policy administrators' group.|
-
-The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups.
-
-| RID | Decimal value | Identifies |
-| - | - | - |
-| DOMAIN_ALIAS_RID_ADMINS | 544 | Administrators of the domain.|
-| DOMAIN_ALIAS_RID_USERS | 545 | All users in the domain.|
-| DOMAIN_ALIAS_RID_GUESTS | 546 | Guests of the domain.|
-| DOMAIN_ALIAS_RID_POWER_USERS | 547 | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.|
-| DOMAIN_ALIAS_RID_BACKUP_OPS | 551 | A local group that is used to control the assignment of file backup-and-restore user rights.|
-| DOMAIN_ALIAS_RID_REPLICATOR | 552 | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.|
-| DOMAIN_ALIAS_RID_RAS_SERVERS | 553 | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.|
-
-## Changes in security identifier's functionality
-
-The following table describes changes in SID implementation in the Windows operating systems that are designated in the list.
-
-| Change | Operating system version | Description and resources |
-| - | - | - |
-| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
-| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
-
-## Capability SIDs
-
-Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource.
-
-All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
-
-## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
-
-You may see the following registry keys under AllCachedCapabilities:
-
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
-
-All Capability SIDs are prefixed by S-1-15-3
-
-## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition
-
-You may see the following registry keys under AllCachedCapabilities:
-
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
-
-All Capability SIDs are prefixed by S-1-15-3
-
-## See also
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
deleted file mode 100644
index 3120899040..0000000000
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Security Principals (Windows 10)
-description: Security Principals
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-ms.reviewer:
----
-
-# Security Principals
-
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals.
-
-## What are security principals?
-
-
-Security principals are any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security principal is represented in the operating system by a unique security identifier (SID).
-
-The following content applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic.
-
-## How security principals work
-
-
-Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Each security principal is assigned a unique identifier, which it retains for its entire lifetime. Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local computer.
-
-### Authorization and access control components
-
-The following diagram illustrates the Windows authorization and access control process. In this diagram, the subject (a process that is initiated by a user) attempts to access an object, such as a shared folder. The information in the user’s access token is compared to the access control entries (ACEs) in the object’s security descriptor, and the access decision is made. The SIDs of security principals are used in the user’s access token and in the ACEs in the object’s security descriptor.
-
-**Authorization and access control process**
-
-
-
-Security principals are closely related to the following components and technologies:
-
-- [Security identifiers](#bkmk-sids)
-
-- [Access tokens](#bkmk-accesstokens)
-
-- [Security descriptors and access control lists](#bkmk-sdandacls)
-
-- [Permissions](#bkmk-permissions)
-
-### Security identifiers
-
-Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
-
-A SID is a value of variable length that is used to uniquely identify a security principal that represents any entity that can be authenticated by the system. These entities include a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each security principal is automatically assigned a SID when it is created. The SID is stored in a security database. When a SID is used as the unique identifier for a user or group, it can never be used to identify another user or group.
-
-Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
-
-In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and the World SIDs identify groups that includes all users. Well-known SIDs have values that remain constant across all operating systems.
-
-### Access tokens
-
-An access token is a protected object that contains information about the identity and user rights that are associated with a user account.
-
-When a user signs in interactively or tries to make a network connection to a computer running Windows, the sign-in process authenticates the user’s credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token (in this case, the primary access token). This includes the SIDs that are returned by the sign-in process and a list of user rights that are assigned by the local security policy to the user and to the user’s security groups.
-
-After the LSA creates the primary access token, a copy of the access token is attached to every thread and process that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires user rights, the operating system checks the access token that is associated with the thread to determine the level of authorization.
-
-There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread.
-
-### Security descriptors and access control lists
-
-A security descriptor is a data structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs:
-
-- A discretionary access control list (DACL), which identifies the users and groups who are allowed or denied access
-
-- A system access control list (SACL), which controls how access is audited
-
-You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined.
-
-### Permissions
-
-Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Permissions are expressed in the security architecture as access control entries (ACEs). Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows is called discretionary access control.
-
-Permissions are different from user rights in that permissions are attached to objects, and user rights apply to user accounts. Administrators can assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
-
-On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
-
-For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
-
-### Security context in authentication
-
-A user account enables a user to sign in to computers, networks, and domains with an identity that can be authenticated by the computer, network, or domain.
-
-In Windows, any user, service, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in.
-
-To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer’s identity and then defines the computer’s security context just as it would for a user’s security principal.
-
-This security context defines the identity and capabilities of a user or service on a particular computer, or of a user, service, group or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, service, or computer on that resource.
-
-The security context of a user or computer can vary from one computer to another, such as when a user authenticates to a server or a workstation other than the user’s primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain.
-
-## Accounts and security groups
-
-
-Accounts and security groups that are created in an Active Directory domain are stored in the Active Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resources.
-
-Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are stored in and managed by the Security Accounts Manager (SAM) on the local computer.
-
-### User accounts
-
-A user account uniquely identifies a person who is using a computer system. The account signals the system to enforce the appropriate authorization to allow or deny that user access to resources. User accounts can be created in Active Directory and on local computers, and administrators use them to:
-
-- Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
-
-- Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource.
-
-- Audit the actions that are carried out on a user account.
-
-Windows and the Windows Server operating systems have built-in user accounts, or you can create user accounts to meet the requirements of your organization.
-
-### Security groups
-
-A security group is a collection of user accounts, computer accounts, and other groups of accounts that can be managed as a single unit from a security perspective. In Windows operating systems, there are several built-in security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, you can (and, typically, will) create a security group for each unique combination of security requirements that applies to multiple users in your organization.
-
-Groups can be Active Directory-based or local to a particular computer:
-
-- Active Directory security groups are used to manage rights and permissions to domain resources.
-
-- Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You use local groups to manage rights and permissions only to resources on the local computer.
-
-By using security groups to manage access control, you can:
-
-- Simplify administration. You can assign a common set of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each account individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier.
-
-- Implement a role-based access-control model. You can use this model to grant permissions by using groups with different scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal.
-
-- Minimize the size of access control lists (ACLs) and speed security checking. A security group has its own SID; therefore, the group SID can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify access to a resource, the ACL of that resource can become unmanageably large, and the time that is needed for the system to check permissions to the resource can become unacceptable.
-
-For descriptions and settings information about the domain security groups that are defined in Active Directory, see [Active Directory Security Groups](active-directory-security-groups.md).
-
-For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md).
-
-## See also
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
deleted file mode 100644
index cd6db0f4f7..0000000000
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: Service Accounts (Windows 10)
-description: Service Accounts
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection:
- - M365-identity-device-management
- - highpri
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 11/19/2021
----
-
-# Service Accounts
-
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts.
-
-## Overview
-
-A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell.
-
-This topic contains information about the following types of service accounts:
-
-- [Standalone managed service accounts](#bkmk-standalonemanagedserviceaccounts)
-
-- [Group-managed service accounts](#bkmk-groupmanagedserviceaccounts)
-
-- [Virtual accounts](#bkmk-virtualserviceaccounts)
-
-### Standalone managed service accounts
-
-A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts.
-
-To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group-managed service account. For more information, see [Group-Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)).
-
-In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
-
-- You can create a class of domain accounts that can be used to manage and maintain services on local computers.
-
-- Unlike domain accounts in which administrators must manually reset passwords, the network passwords for these accounts are automatically reset.
-
-- You do not have to complete complex SPN management tasks to use managed service accounts.
-- You don't have to complete complex SPN management tasks to use managed service accounts.
-- Administrative tasks for managed service accounts can be delegated to non-administrators.
-
-### Software requirements
-
-Managed service accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
-
-### Group-managed service accounts
-
-Group-managed service accounts are an extension of the standalone-managed service accounts, which were introduced in Windows Server 2008 R2. These accounts are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators.
-
-The group-managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group-managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password.
-
-The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group-managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group-managed service account.
-
-### Practical applications
-
-Group-managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group-managed service account solution, services can be configured for the group-managed service account principal, and the password management is handled by the operating system.
-
-By using a group-managed service account, service administrators do not need to manage password synchronization between service instances. The group-managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This provision means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
-
-Failover clusters do not support group-managed service accounts. However, services that run on top of the Cluster service can use a group-managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group-managed service account or standalone managed service accounts.
-
-### Software requirements
-
-Group-managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements.
-
-A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group-managed service accounts.
-
-A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) must always be configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail.
-
-**Note**
-Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560670(v=ws.10)).
-
-Group-managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012.
-
-### Virtual accounts
-
-Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration:
-
-- The virtual account is automatically managed.
-
-- The virtual account can access the network in a domain environment.
-
-- No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\\<SERVICENAME>.
-
-Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$.
-
-For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)).
-
-### Software requirements
-
-Virtual accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
-
-## See also
-
-
-The following table provides links to other resources that are related to standalone managed service accounts, group-managed service accounts, and virtual accounts.
-
-| Content type | References |
-|---------------|-------------|
-| **Product evaluation** | [What's New for Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831451(v=ws.11))
[Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)) |
-| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
-| **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) |
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
deleted file mode 100644
index 995d23b020..0000000000
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ /dev/null
@@ -1,448 +0,0 @@
----
-title: Special Identities (Windows 10)
-description: Special Identities
-ms.prod: m365-security
-ms.technology: windows-sec
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 12/21/2021
-ms.reviewer:
----
-
-# Special Identities
-
-**Applies to**
-
-- Windows Server 2016 or later
-
-This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
-
-Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:
-
-- Assign user rights to security groups in Active Directory.
-- Assign permissions to security groups for the purpose of accessing resources.
-
-Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
-
-Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource.
-
-For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md).
-
-The special identity groups are described in the following tables:
-
-- [Anonymous Logon](#anonymous-logon)
-- [Attested Key Property](#attested-key-property)
-- [Authenticated Users](#authenticated-users)
-- [Authentication Authority Asserted Identity](#authentication-authority-asserted-identity)
-- [Batch](#batch)
-- [Console Logon](#console-logon)
-- [Creator Group](#creator-group)
-- [Creator Owner](#creator-owner)
-- [Dialup](#dialup)
-- [Digest Authentication](#digest-authentication)
-- [Enterprise Domain Controllers](#enterprise-domain-controllers)
-- [Everyone](#everyone)
-- [Fresh Public Key Identity](#fresh-public-key-identity)
-- [Interactive](#interactive)
-- [IUSR](#iusr)
-- [Key Trust](#key-trust)
-- [Local Service](#local-service)
-- [LocalSystem](#localsystem)
-- [MFA Key Property](#mfa-key-property)
-- [Network](#network)
-- [Network Service](#network-service)
-- [NTLM Authentication](#ntlm-authentication)
-- [Other Organization](#other-organization)
-- [Owner Rights](#owner-rights)
-- [Principal Self](#principal-self)
-- [Proxy](#proxy)
-- [Remote Interactive Logon](#remote-interactive-logon)
-- [Restricted](#restricted)
-- [SChannel Authentication](#schannel-authentication)
-- [Service](#service)
-- [Service Asserted Identity](#service-asserted-identity)
-- [Terminal Server User](#terminal-server-user)
-- [This Organization](#this-organization)
-- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
-
-## Anonymous Logon
-
-Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-7 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
-
-## Authentication Authority Asserted Identity
-
-A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-18-1 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight|
-
-## Everyone
-
-All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
-
-On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
-
-Membership is controlled by the operating system.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-1-0 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege
[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
|
-
-## LocalSystem
-
-This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-18 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
|
-
-## NTLM Authentication
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-64-10 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
|
-
-## Service Asserted Identity
-
-A SID that means the client's identity is asserted by a service.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-18-2 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
|
-
-## See also
-
-- [Active Directory Security Groups](active-directory-security-groups.md)
-
-- [Security Principals](security-principals.md)
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
index af4b0207cd..c84b17cee4 100644
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -2,14 +2,14 @@
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/15/2019
-ms.reviewer:
---
# WebAuthn APIs for password-less authentication on Windows
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 46c5ce15d2..50dac1c934 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -2,22 +2,20 @@
title: Multi-factor Unlock
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 03/20/2018
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Multi-factor Unlock
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
**Requirements:**
* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index a22fdc4c4b..1c3acf11f8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -2,14 +2,17 @@
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 06/23/2021
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Azure Active Directory join cloud only deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 201f155223..edba592b4e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -2,24 +2,23 @@
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016 or later
+- ✅ Hybrid or On-Premises deployment
+- ✅ Key trust
---
# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-**Applies to**
-
-- Windows 10, version 1703 or later, or Windows 11
-- Windows Server, versions 2016 or later
-- Hybrid or On-Premises deployment
-- Key trust
-
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
@@ -90,7 +89,7 @@ Using the same methods described above, monitor the Kerberos authentication afte
```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
-Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
+Where *n* equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 or newer domain controllers. If there is only one Windows Server 2016 or newer domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index 409d7ad594..0b82e155e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -1,23 +1,21 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
-ms.reviewer:
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Windows Hello and password changes
-**Applies to**
-
-- Windows 10
-- Windows 11
-
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
## Example
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 1b7fc74348..ebbea60361 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -2,24 +2,23 @@
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 01/12/2021
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Windows Hello biometrics in the enterprise
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
>[!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 7c1152e8bf..da1d9d6154 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -2,24 +2,22 @@
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 01/14/2021
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployments
+- ✅ Certificate trust
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Certificate trust
-
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index eda6b35e15..36186166cf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -2,25 +2,24 @@
title: Configure Windows Hello for Business Policy settings - certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployments
+- ✅ Certificate trust
---
# Configure Windows Hello for Business Policy settings - Certificate Trust
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Certificate trust
-
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 281f5bf449..9d4ca3a2f5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -2,24 +2,22 @@
title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployments
+- ✅ Certificate trust
---
# Validate Active Directory prerequisites for cert-trust deployment
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Certificate trust
-
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
> [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 865759bf10..5ec79ae891 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -2,24 +2,22 @@
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployments
+- ✅ Certificate trust
---
# Validate and Deploy Multi-Factor Authentication feature
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Certificate trust
-
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index d6356353aa..578db1bd4e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -2,25 +2,22 @@
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployments
+- ✅ Certificate trust
---
# Validate and Configure Public Key Infrastructure - Certificate Trust Model
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Certificate trust
-
-
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
## Deploy an enterprise certificate authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 278560bbc5..21b67500a6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -2,24 +2,22 @@
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
description: A guide to on premises, certificate trust Windows Hello for Business deployment.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: prsriva
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployments
+- ✅ Certificate trust
---
# On Premises Certificate Trust Deployment
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Certificate trust
-
Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment.
Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index afe7fdf157..0f2c45e2f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -2,9 +2,10 @@
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 47d8b38c53..43ff73fc92 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -3,14 +3,14 @@ title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
params: siblings_only
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/03/2021
-ms.reviewer:
---
# Windows Hello for Business Known Deployment Issues
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 280f51120d..faab624132 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -2,24 +2,22 @@
title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
description: A guide to on premises, key trust Windows Hello for Business deployment.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployment
+- ✅ Key trust
---
# On Premises Key Trust Deployment
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Key trust
-
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 5df469ff3e..d0cc1cad93 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -2,25 +2,23 @@
title: Deploying Certificates to Key Trust Users to Enable RDP
description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/22/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Deploying Certificates to Key Trust Users to Enable RDP
-**Applies To**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
This document discusses an approach for key trust deployments where authentication certificates can be deployed to an existing key trust user.
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 631d982e36..d995550c13 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -2,24 +2,23 @@
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: troubleshooting
ms.localizationpriority: medium
ms.date: 05/05/2018
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Windows Hello errors during PIN creation
-**Applies to**
-
-- Windows 10
-- Windows 11
-
When you set up Windows Hello in Windows client, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
## Where is the error code?
@@ -70,6 +69,8 @@ If the error occurs again, check the error code against the following table to s
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
+| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.|
+
## Errors with unknown mitigation
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index 3e481d0f4d..8fa58bce19 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -1,24 +1,22 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
-ms.reviewer:
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Event ID 300 - Windows Hello successfully created
-**Applies to**
-
-- Windows 10
-- Windows 11
-
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
## Event details
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 2f77d6ba0e..5900a1444c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -8,20 +8,22 @@ metadata:
ms.sitesec: library
ms.pagetype: security, mobile
audience: ITPro
- author: GitPrakhar13
- ms.author: prsriva
- manager: dansimp
+ author: paolomatarazzo
+ ms.author: paoloma
+ manager: aaroncz
+ ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: faq
localizationpriority: medium
ms.date: 02/21/2022
+ appliesto:
+ - ✅ Windows 10
+ - ✅ Windows 11
title: Windows Hello for Business Frequently Asked Questions (FAQ)
summary: |
- Applies to: Windows 10
-
sections:
- name: Ignored
@@ -31,6 +33,7 @@ sections:
answer: |
Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust).
+
- question: What about virtual smart cards?
answer: |
Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8.
@@ -42,6 +45,7 @@ sections:
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
+
- question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
answer: |
@@ -57,9 +61,8 @@ sections:
- question: How can a PIN be more secure than a password?
answer: |
- The Windows Hello for Business PIN isn't a symmetric key, whereas a password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
-
- The statement "PIN is stronger than Password" isn't directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multi-factor Unlock](feature-multifactor-unlock.md) feature.
+ When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
+ The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
- question: How does Windows Hello for Business work with Azure AD registered devices?
answer: |
@@ -123,9 +126,9 @@ sections:
- question: What's the difference between non-destructive and destructive PIN reset?
answer: |
- Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
+ Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
- Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
+ Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid Azure Active Directory joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
- question: |
Which is better or more secure, key trust or certificate trust?
@@ -149,7 +152,31 @@ sections:
- question: Is Windows Hello for Business multi-factor authentication?
answer: |
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something that's part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
-
+
+ - question: Where is Windows Hello biometrics data stored?
+ answer: |
+ When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
+
+ - question: What is the format used to store Windows Hello biometrics data on the device?
+ answer: |
+ Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.
+
+ - question: Who has access on Windows Hello biometrics data?
+ answer: |
+ Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it.
+
+ - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
+ answer: |
+ Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
+
+ - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication?
+ answer: |
+ To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
+
+ - question: What about any diagnostic data coming out when WHFB is enabled?
+ answer: |
+ To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
+
- question: What are the biometric requirements for Windows Hello for Business?
answer: |
Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
@@ -206,7 +233,7 @@ sections:
answer: |
Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business don't require a TPM. Administrators can choose to allow key operations in software.
- Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to re-authenticate to the IDP before the IDP allows them to re-register).
+ Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against various known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to reauthenticate to the IDP before the IDP allows them to re-register).
- question: Can Windows Hello for Business work in air-gapped environments?
answer: |
@@ -223,9 +250,9 @@ sections:
| Protocol | Description |
| :---: | :--- |
| [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
- | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
+ | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. |
| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
- | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. |
+ | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define other claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define more provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. |
- question: Does Windows Hello for Business work with Mac and Linux clients?
answer: |
@@ -235,3 +262,4 @@ sections:
- question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
answer: |
No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD.
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index 5dac00754e..2acbb4823a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -2,14 +2,14 @@
title: Conditional Access
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/09/2019
-ms.reviewer:
---
# Conditional access
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 445df8f5a8..489d5513cf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -2,14 +2,14 @@
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/09/2019
-ms.reviewer:
---
# Dual Enrollment
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index bdd56753a1..4fbe94952d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -2,22 +2,21 @@
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 07/12/2022
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Dynamic lock
-**Requirements:**
-
-* Windows 10, version 1703 or later
-
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
> [!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 5d90ae5f90..5b2df11202 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,10 +1,11 @@
---
title: Pin Reset
-description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.
+description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
@@ -22,38 +23,49 @@ Windows Hello for Business provides the capability for users to reset forgotten
There are two forms of PIN reset:
-- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new log in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration.
+- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new login key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration.
- **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature.
## Using PIN reset
+
+There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
+
+**Requirements**
+
+- Reset from settings - Windows 10, version 1703 or later, Windows 11
+- Reset above Lock - Windows 10, version 1709 or later, Windows 11
+
Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users do not have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
+
>[!IMPORTANT]
>For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
### Reset PIN from Settings
-1. Sign-in to Windows 10 using an alternate credential
-1. Open **Settings**, select **Accounts** > **Sign-in options**
-1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions
+1. Sign-in to Windows 10 using an alternate credential.
+1. Open **Settings**, select **Accounts** > **Sign-in options**.
+1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions.
+
### Reset PIN above the Lock Screen
For Azure AD-joined devices:
-1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon
-1. Select **I forgot my PIN** from the PIN credential provider
-1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key)
-1. Follow the instructions provided by the provisioning process
-1. When finished, unlock your desktop using your newly created PIN
+1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
+1. Select **I forgot my PIN** from the PIN credential provider.
+1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key).
+1. Follow the instructions provided by the provisioning process.
+1. When finished, unlock your desktop using your newly created PIN.
+
For Hybrid Azure AD-joined devices:
-1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon
-1. Select **I forgot my PIN** from the PIN credential provider
-1. Enter your password and press enter
-1. Follow the instructions provided by the provisioning process
-1. When finished, unlock your desktop using your newly created PIN
+1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
+1. Select **I forgot my PIN** from the PIN credential provider.
+1. Enter your password and press enter.
+1. Follow the instructions provided by the provisioning process.
+1. When finished, unlock your desktop using your newly created PIN.
> [!NOTE]
> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
@@ -65,16 +77,36 @@ You may find that PIN reset from settings only works post login, and that the "l
**Requirements:**
- Azure Active Directory
+- Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903.
- Hybrid Windows Hello for Business deployment
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
+
When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment.
>[!IMPORTANT]
+> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809 and later, and Windows 11. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and later, Windows 11.
+> The Microsoft PIN Reset service is not currently available in Azure Government.
+
+### Summary
+
+|Category|Destructive PIN Reset|Non-Destructive PIN Reset|
+|--- |--- |--- |
+|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
+|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
+|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust|
+|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
+|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
+|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.|
+|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
+
+### Onboarding the Microsoft PIN reset service to your Intune tenant
+
> The **Microsoft PIN Reset Service** is not currently available in Azure Government.
+
### Enable the Microsoft PIN Reset Service in your Azure AD tenant
Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant:
@@ -84,21 +116,21 @@ Before you can remotely reset PINs, you must register two applications in your A
#### Connect Azure Active Directory with the PIN Reset Service
-1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant
-1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization
+1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
+1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization.
#### Connect Azure Active Directory with the PIN Reset Client
-1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant
-1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization
+1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
+1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization.
#### Confirm that the two PIN Reset service principals are registered in your tenant
-1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com)
-1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**
-1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list
+1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com).
+1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**.
+1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list.
:::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png":::
### Enable PIN Recovery on your devices
@@ -109,39 +141,39 @@ Before you can remotely reset PINs, your devices must be configured to enable PI
You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)
-1. Select **Devices** > **Configuration profiles** > **Create profile**
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+1. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Enter the following properties:
- - **Platform**: Select **Windows 10 and later**
- - **Profile type**: Select **Settings catalog**
-1. Select **Create**
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile type**: Select **Settings catalog**.
+1. Select **Create**.
1. In **Basics**, enter the following properties:
- - **Name**: Enter a descriptive name for the profile
- - **Description**: Enter a description for the profile. This setting is optional, but recommended
-1. Select **Next**
-1. In **Configuration settings**, select **Add settings**
-1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**
-1. Configure **Enable Pin Recovery** to **true**
-1. Select **Next**
-1. In **Scope tags**, assign any applicable tags (optional)
-1. Select **Next**
-1. In **Assignments**, select the security groups that will receive the policy
-1. Select **Next**
-1. In **Review + create**, review your settings and select **Create**
+ - **Name**: Enter a descriptive name for the profile.
+ - **Description**: Enter a description for the profile. This setting is optional, but recommended.
+1. Select **Next**.
+1. In **Configuration settings**, select **Add settings**.
+1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**.
+1. Configure **Enable Pin Recovery** to **true**.
+1. Select **Next**.
+1. In **Scope tags**, assign any applicable tags (optional).
+1. Select **Next**.
+1. In **Assignments**, select the security groups that will receive the policy.
+1. Select **Next**.
+1. In **Review + create**, review your settings and select **Create**.
>[!NOTE]
> You can also configure PIN recovery from the **Endpoint security** blade:
-> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)
-> 1. Select **Endpoint security** > **Account protection** > **Create Policy**
+> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+> 1. Select **Endpoint security** > **Account protection** > **Create Policy**.
#### [✅ **GPO**](#tab/gpo)
You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO).
-1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory
-1. Edit the Group Policy object from Step 1
-1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**
-1. Close the Group Policy Management Editor to save the Group Policy object
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+1. Edit the Group Policy object from Step 1.
+1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
+1. Close the Group Policy Management Editor to save the Group Policy object.
#### [✅ **CSP**](#tab/csp)
@@ -198,6 +230,44 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
+----------------------------------------------------------------------+
```
+## Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices
+
+**Applies to:**
+
+- Windows 10, version 1803 or later
+- Windows 11
+- Azure AD joined
+
+The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
+
+### Configuring Policy Using Intune
+
+1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
+
+1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**.
+
+1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create.
+
+1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next.
+
+1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings:
+
+ - **Name:** Web Sign In Allowed URLs
+ - **Description:** (Optional) List of domains that are allowed during PIN reset flows.
+ - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
+ - **Data type:** String
+ - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks)
+
+ :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
+
+1. Click the **Save** button to save the custom configuration.
+
+1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button.
+
+1. On the Applicability rules page, click **Next**.
+
+1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups.
+
### Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices
The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
@@ -205,28 +275,29 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
#### Configure Web Sign-in Allowed URLs using Microsoft Intune
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. Select **Devices** > **Configuration profiles** > **Create profile**
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Enter the following properties:
- - **Platform**: Select **Windows 10 and later**
- - **Profile type**: Select **Templates**
- - In the list of templates that is loaded, select **Custom** > **Create**
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile type**: Select **Templates**.
+ - In the list of templates that is loaded, select **Custom** > **Create**.
1. In **Basics**, enter the following properties:
- - **Name**: Enter a descriptive name for the profile
- - **Description**: Enter a description for the profile. This setting is optional, but recommended
-1. Select **Next**
+ - **Name**: Enter a descriptive name for the profile.
+ - **Description**: Enter a description for the profile. This setting is optional, but recommended.
+1. Select **Next**.
1. In **Configuration settings**, select **Add** and enter the following settings:
- Name: **Web Sign In Allowed URLs**
- Description: **(Optional) List of domains that are allowed during PIN reset flows**
- OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
- Data type: **String**
- - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** (without quotation marks)
+ - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** (without quotation marks).
:::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png":::
-1. Select **Save** > **Next**
-1. In **Assignments**, select the security groups that will receive the policy
-1. Select **Next**
-1. In **Applicability Rules**, select **Next**
-1. In **Review + create**, review your settings and select **Create**
+1. Select **Save** > **Next**.
+1. In **Assignments**, select the security groups that will receive the policy.
+1. Select **Next**.
+1. In **Applicability Rules**, select **Next**.
+1. In **Review + create**, review your settings and select **Create**.
+
> [!NOTE]
> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index b622e6277f..6e297b92e3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -2,14 +2,14 @@
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/24/2021
-ms.reviewer:
---
# Remote Desktop
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 76b94b5ddb..909df0b77b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -2,22 +2,20 @@
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/15/2022
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Windows Hello for Business and Authentication
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index c81ed991e1..7d93ef16b8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -2,22 +2,20 @@
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Windows Hello for Business Provisioning
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
- How the device is joined to Azure Active Directory
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 1813f3e403..ff24499d85 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -2,23 +2,21 @@
title: How Windows Hello for Business works - technology and terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 10/08/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Technology and terms
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
## Attestation identity keys
Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 768b3a0e02..cb5b134268 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -2,22 +2,20 @@
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/05/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# How Windows Hello for Business works in Windows Devices
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 51f303b2ba..c936ab0e6a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -2,26 +2,24 @@
title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 01/14/2021
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Azure Active Directory-join
+- ✅ Hybrid Deployment
+- ✅ Key trust
---
# Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Azure Active Directory-joined
-- Hybrid Deployment
-- Key trust model
-
## Prerequisites
Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 53931e113c..875fe62728 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -2,26 +2,24 @@
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Azure AD-join
+- ✅ Hybrid Deployment
+- ✅ Certificate trust
---
# Using Certificates for AADJ On-premises Single-sign On
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Azure Active Directory-joined
-- Hybrid Deployment
-- Certificate trust
-
If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
> [!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 1acba0f5b3..0842bb52e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -2,24 +2,20 @@
title: Azure AD Join Single Sign-on Deployment
description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Azure AD Join Single Sign-on Deployment
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Azure Active Directory-joined
-- Hybrid deployment
-
Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate.
## Key vs. Certificate
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 546fe98a8e..1dbae77cc3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -2,24 +2,22 @@
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
-
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
- [Active Directory](#active-directory)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 2d15af954c..b35fa21dac 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -2,24 +2,22 @@
title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
-
Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
> [!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index edba57fd05..b6d189d7c1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -2,24 +2,22 @@
title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Hybrid Azure AD joined Windows Hello for Business Prerequisites
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
-
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index f9c3cf3feb..72086e9d13 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -2,24 +2,22 @@
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/08/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Hybrid Azure AD joined Certificate Trust Deployment
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
-
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index f6e69dad32..6721675b09 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -2,24 +2,22 @@
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
-
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index f8b0c788c1..230a694361 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -2,24 +2,22 @@
title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
-
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
### Creating Security Groups
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index ed13229f6a..03989ad22c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -2,24 +2,22 @@
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
-
## Federation Services
The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 3dea044165..7e29ef7f6a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -2,25 +2,23 @@
title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate Trust
-
## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 0a7da03055..e604fc736f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -2,25 +2,23 @@
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid Deployment
-- Certificate Trust
-
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index bba12adf27..2708e9a22c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -2,23 +2,22 @@
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
## Policy Configuration
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index ec22d31a65..c0ba9ce415 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -2,24 +2,22 @@
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Certificate trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
-
Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index 1f4f7f1f17..e8589d8b29 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -2,22 +2,20 @@
title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
-ms.reviewer:
+appliesto:
+- ✅ Windows 10 21H2 and later
+- ✅ Windows 11
---
# Hybrid Cloud Trust Deployment (Preview)
-Applies to
-
-- Windows 10, version 21H2
-- Windows 11 and later
-
Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
## Introduction to Cloud Trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 66a720d026..98599d9132 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -2,25 +2,22 @@
title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
-
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies
- [Active Directory](#active-directory)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 4d064c210c..49cd5d3b42 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -2,25 +2,22 @@
title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/04/2022
-ms.reviewer: prsriva
-
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
> [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 299e93c00c..d3e68887fd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -2,24 +2,22 @@
title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
## Deploy Azure AD Connect
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 0850fae7f7..66fae5f56b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -9,17 +9,14 @@ ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 833968247b..7a7e3f3eed 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -2,24 +2,22 @@
title: Hybrid Key Trust Deployment (Windows Hello for Business)
description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Hybrid Azure AD joined Key Trust Deployment
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 925d6d12e8..4b009fe228 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -2,24 +2,21 @@
title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning
-
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index bbdde28351..49124b1ddf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -2,23 +2,22 @@
title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
---
# Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 0ed4142f70..1092173f9c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -2,24 +2,22 @@
title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 5f2d0ed289..8a9e8ee322 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -2,25 +2,22 @@
title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 04/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
-
# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid Deployment
-- Key trust
-
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 26b31e209b..4522c3b93d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -2,24 +2,22 @@
title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
## Policy Configuration
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 29c29de56f..ea0439b451 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -2,24 +2,22 @@
title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Key trust
---
# Configure Hybrid Azure AD joined Windows Hello for Business key trust settings
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Key trust
-
You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business.
> [!IMPORTANT]
@@ -36,10 +34,6 @@ For the most efficient deployment, configure these technologies in order beginni
> [!div class="step-by-step"]
> [Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md)
-
-
-
-
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-key-trust.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 185768fe63..7a9e8e62b1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -2,9 +2,10 @@
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index d2c141ca3a..8761b3eaf6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -2,24 +2,22 @@
title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployment
+- ✅ Key trust
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Key trust
-
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 5baf31a055..b954e4d073 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -2,25 +2,22 @@
title: Configure Windows Hello for Business Policy settings - key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployment
+- ✅ Key trust
---
# Configure Windows Hello for Business Policy settings - Key Trust
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Key trust
-
-
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index c8227d9536..64195a8b82 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -2,24 +2,22 @@
title: Key registration for on-premises deployment of Windows Hello for Business
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployment
+- ✅ Key trust
---
# Validate Active Directory prerequisites - Key Trust
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Key trust
-
Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
> [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 968ae0d5b0..81e0df5016 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -2,27 +2,25 @@
title: Validate and Deploy MFA for Windows Hello for Business with key trust
description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployment
+- ✅ Key trust
---
# Validate and Deploy Multifactor Authentication (MFA)
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Key trust
-
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 809720fdba..d12ad32ade 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -2,25 +2,22 @@
title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ On-premises deployment
+- ✅ Key trust
---
-
# Validate and Configure Public Key Infrastructure - Key Trust
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-- On-premises deployment
-- Key trust
-
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
## Deploy an enterprise certificate authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index deba83abae..7127970af5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -2,24 +2,23 @@
title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 2/15/2022
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Manage Windows Hello for Business in your organization
-**Applies to**
-
-- Windows 10
-- Windows 11
-
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 37a81d4995..6a355853aa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,25 +1,22 @@
---
title: Windows Hello for Business Overview (Windows)
-ms.reviewer: An overview of Windows Hello for Business
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: conceptual
localizationpriority: medium
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
-
# Windows Hello for Business Overview
-**Applies to**
-
-- Windows 10
-- Windows 11
-
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
>[!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 3212485067..c1dc768999 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -2,23 +2,22 @@
title: Planning a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: conceptual
ms.date: 09/16/2020
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Planning a Windows Hello for Business Deployment
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 6b57daee9c..89efd738ea 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,24 +1,21 @@
---
title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.reviewer:
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
-
# Prepare people to use Windows Hello
-**Applies to**
-
-- Windows 10
-- Windows 11
-
When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 05c92d9ba2..cf437e3bee 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -2,22 +2,19 @@
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 07/26/2022
-ms.reviewer: paoloma
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Windows Hello for Business Videos
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
## Overview of Windows Hello for Business and Features
Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index ef30d59ed1..887d2893eb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -2,24 +2,22 @@
title: Why a PIN is better than an online password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 10/23/2017
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
-
# Why a PIN is better than an online password
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 62c038bd6b..bdd841ab2c 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -8,9 +8,10 @@ metadata:
description: Learn how to manage and deploy Windows Hello for Business.
ms.prod: m365-security
ms.topic: landing-page
- author: GitPrakhar13
- manager: dansimp
- ms.author: prsriva
+ author: paolomatarazzo
+ ms.author: paoloma
+ manager: aaroncz
+ ms.reviewer: prsriva
ms.date: 01/22/2021
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index 75645f288d..2d0f9aed02 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -2,14 +2,14 @@
title: Microsoft-compatible security key
description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 11/14/2018
-ms.reviewer:
---
# What is a Microsoft-compatible security key?
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 74765dffac..be9b81f965 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -2,14 +2,17 @@
title: Password-less strategy
description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: conceptual
localizationpriority: medium
ms.date: 05/24/2022
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Password-less strategy
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index e2f9b9e978..3818cf29e6 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -2,14 +2,14 @@
title: Reset-security-key
description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
ms.prod: m365-security
-author: GitPrakhar13
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 11/14/2018
-ms.reviewer:
---
# How to reset a Microsoft-compatible security key?
> [!Warning]
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 29e42655ab..b703e6ea15 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -9,14 +9,12 @@ ms.date: 10/16/2017
ms.reviewer:
manager: dansimp
ms.topic: article
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# How Windows Hello for Business works in Windows devices
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
## Register a new user or device
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 2f384a46fc..09e60e2f2b 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -2,7 +2,7 @@
title: Interactive Logon Message text (Windows 10)
description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on.
ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
-ms.reviewer:
+ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -32,9 +32,7 @@ The **Interactive logon: Message text for users attempting to log on** and [Inte
**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in.
-**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
-
-Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
+**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
When these policy settings are configured, users will see a dialog box before they can sign in to the server console.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index ab20a8f979..b16fd3bff2 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -2,7 +2,7 @@
title: Interactive logon Message title for users attempting to log on (Windows 10)
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
-ms.reviewer:
+ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -30,9 +30,7 @@ Describes the best practices, location, values, policy management and security c
This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
-The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on.
-
-Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
+The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
When these policy settings are configured, users will see a dialog box before they can sign in the server console.
@@ -43,7 +41,7 @@ When these policy settings are configured, users will see a dialog box before th
### Best practices
-1. It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one of the following values:
+1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following:
- RESTRICTED SYSTEM
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index aee609a7fd..e30b2c517a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -1,6 +1,6 @@
---
title: Script rules in AppLocker (Windows)
-description: This topic describes the file formats and available default rules for the script rule collection.
+description: This article describes the file formats and available default rules for the script rule collection.
ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f
ms.reviewer:
ms.author: macapara
@@ -26,10 +26,6 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-
This article describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
@@ -44,11 +40,11 @@ The following table lists the default rules that are available for the script ru
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` |
-| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` |
-| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
-
+| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` |
+| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
+
> [!NOTE]
-> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
+> When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode.
## Related articles
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index 2d31e8f0f7..f9b070ff3b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -1,6 +1,6 @@
---
-title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows)
-description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide.
+title: Create a WDAC policy using a reference computer (Windows)
+description: To create a Windows Defender Application Control (WDAC) policy that allows all code installed on a reference computer within your organization, follow this guide.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -11,83 +11,133 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 05/03/2018
+ms.date: 08/08/2022
ms.technology: windows-sec
---
-# Create a WDAC policy for fixed-workload devices using a reference computer
+# Create a WDAC policy using a reference computer
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-This section outlines the process to create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc.
-
-For this example, you must initiate variables to be used during the creation process or use the full file paths in the command.
-Then create the WDAC policy by scanning the system for installed applications.
-The policy file is converted to binary format when it gets created so that Windows can interpret it.
-
-## Overview of the process of creating Windows Defender Application Control policies
-
-A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Windows Defender Application Control policies follow a similar methodology that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of more WDAC policies based on what should be allowed to be installed and run and for whom. For more information on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md).
-
-Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed.
-
-If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
+This section outlines the process to create a Windows Defender Application Control (WDAC) policy **using a reference computer** that is already configured with the software you want to allow. You can use this approach for fixed-workload devices that are dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. This approach can also be used to turn on WDAC on systems "in the wild" and you want to minimize the potential impact on users' productivity.
> [!NOTE]
-> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.
+> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
-Each installed software application should be validated as trustworthy before you create a policy.
-We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable.
-Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts.
-You can remove or disable such software on the reference computer.
+As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
-To create a Windows Defender Application Control policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC.
-1. Initialize variables that you'll use.
+## Create a custom base policy using a reference device
+
+Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to protect Lamna's critical infrastructure servers. Lamna's imaging practice for infrastructure systems is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Alice decides to use these same "golden" image systems to create the WDAC policies, which will result in separate custom base policies for each type of infrastructure server. As with imaging, she'll have to create policies from multiple golden computers based on model, department, application set, and so on.
+
+> [!NOTE]
+> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.
Each installed software application should be validated as trustworthy before you create a policy.
We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. You can remove or disable such software on the reference computer.
+
+Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's critical infrastructure servers:
+
+- All devices are running Windows Server 2019 or above;
+- All apps are centrally managed and deployed;
+- No interactive users.
+
+Based on the above, Alice defines the pseudo-rules for the policy:
+
+1. **“Windows works”** rules that authorize:
+ - Windows
+ - WHQL (third-party kernel drivers)
+ - Windows Store signed apps
+
+2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device
+
+To create the WDAC policy, Alice runs each of the following commands in an elevated Windows PowerShell session, in order:
+
+1. Initialize variables.
```powershell
$PolicyPath=$env:userprofile+"\Desktop\"
$PolicyName="FixedWorkloadPolicy_Audit"
- $WDACPolicy=$PolicyPath+$PolicyName+".xml"
- $WDACPolicyBin=$PolicyPath+$PolicyName+".bin"
+ $LamnaServerPolicy=$PolicyPath+$PolicyName+".xml"
+ $DefaultWindowsPolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml"
+ ```
2. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications:
```powershell
- New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt
+ New-CIPolicy -FilePath $LamnaServerPolicy -Level SignedVersion -Fallback FilePublisher,FileName,Hash -ScanPath c:\ -UserPEs -MultiplePolicyFormat -OmitPaths c:\Windows,'C:\Program Files\WindowsApps\',c:\windows.old\,c:\users\ 3> CIPolicyLog.txt
```
> [!Note]
- >
- > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
- > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md).
+ >
> - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md).
- >
> - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the tool will scan the C-drive by default.
- >
+ > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. If you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers. In other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
+ > - To create a policy for Windows 10 1903 and above, including support for supplemental policies, use **-MultiplePolicyFormat**.
+ > - To specify a list of paths to exclude from the scan, use the **-OmitPaths** option and supply a comma-delimited list of paths.
> - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
-3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+3. Merge the new policy with the WindowsDefault_Audit policy to ensure all Windows binaries and kernel drivers will load.
+
+ ```powershell
+ Merge-CIPolicy -OutputFilePath $LamnaServerPolicy -PolicyPaths $LamnaServerPolicy,$DefaultWindowsPolicy
+ ```
+
+4. Give the new policy a descriptive name, and initial version number:
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath $LamnaServerPolicy -PolicyName $PolicyName
+ Set-CIPolicyVersion -FilePath $LamnaServerPolicy -Version "1.0.0.0"
+ ```
+
+5. Modify the merged policy to set policy rules:
+
+ ```powershell
+ Set-RuleOption -FilePath $LamnaServerPolicy -Option 3 # Audit Mode
+ Set-RuleOption -FilePath $LamnaServerPolicy -Option 6 # Unsigned Policy
+ Set-RuleOption -FilePath $LamnaServerPolicy -Option 9 # Advanced Boot Menu
+ Set-RuleOption -FilePath $LamnaServerPolicy -Option 12 # Enforce Store Apps
+ Set-RuleOption -FilePath $LamnaServerPolicy -Option 16 # No Reboot
+ Set-RuleOption -FilePath $LamnaServerPolicy -Option 17 # Allow Supplemental
+ Set-RuleOption -FilePath $LamnaServerPolicy -Option 19 # Dynamic Code Security
+ ```
+
+6. If appropriate, add more signer or file rules to further customize the policy for your organization.
+
+7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
```powershell
- ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin
+ [xml]$LamnaServerPolicyXML = Get-Content $LamnaServerPolicy
+ $PolicyId = $LamnaServerPolicyXML.SiPolicy.PolicyId
+ $LamnaServerPolicyBin = $PolicyPath+$PolicyId+".cip"
+ ConvertFrom-CIPolicy $LamnaServerPolicy $LamnaServerPolicyBin
```
-After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for more security.
+8. Upload the base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
-> [!NOTE]
-> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
+Alice now has an initial policy for Lamna's critical infrastructure servers that is ready to deploy in audit mode.
-We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error messages. For information about how to audit a WDAC policy, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md).
+## Create a custom base policy to minimize user impact on in-use client devices
+Alice previously created a policy for the organization's fully managed devices. Alice has included the fully managed device policy as part of Lamna's device build process so all new devices now begin with WDAC enabled. She's preparing to deploy the policy to systems that are already in use, but is worried about causing disruption to users' productivity. To minimize that risk, Alice decides to take a different approach for those systems. She'll continue to deploy the fully managed device policy in audit mode to those devices, but for enforcement mode she'll merge the fully managed device policy rules with a policy created by scanning the device for all previously installed software. In this way, each device is treated as its own "golden" system.
+Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed in-use devices:
+
+- Everything described for Lamna's [Fully Managed Devices](create-wdac-policy-for-fully-managed-devices.md);
+- Users have installed apps that they need to continue to run.
+
+Based on the above, Alice defines the pseudo-rules for the policy:
+
+1. Everything included in the Fully Managed Devices policy
+2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device
+
+For Lamna's existing, in-use devices, Alice deploys a script along with the Fully Managed Devices policy XML (not the converted WDAC policy binary). The script then generates a custom policy locally on the client as described in the previous section, but instead of merging with the DefaultWindows policy, the script merges with Lamna's Fully Managed Devices policy. Alice also modifies the steps above to match the requirements of this different use case.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 7cd08be428..2d13639669 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -82,8 +82,9 @@ Alice follows these steps to complete this task:
2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
```powershell
+ $PolicyPath=$env:userprofile+"\Desktop\"
$PolicyName= "Lamna_FullyManagedClients_Audit"
- $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $LamnaPolicy=$PolicyPath+$PolicyName+".xml"
$MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
```
@@ -121,7 +122,9 @@ Alice follows these steps to complete this task:
> In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
```powershell
- $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
+ [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy
+ $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId
+ $LamnaPolicyBin = $PolicyPath+$PolicyId+".cip"
ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
```
