Merge pull request #7175 from MicrosoftDocs/main

Publish 09/22/2022 3:30 PM PT
2025-05-14 06:17:22 +00:00 · 2022-09-22 16:49:56 -06:00 · 2022-09-22 16:49:56 -06:00 · e362fd330b
commit e362fd330b
parent 39f4f5dc3a 5901abf1b8
4 changed files with 59 additions and 18 deletions
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@ -83,7 +83,8 @@ PassportForWork
 -------UseBiometrics
 -------Biometrics
 ----------UseBiometrics
----------FacialFeatureUse
+----------FacialFeaturesUseEnhancedAntiSpoofing
 ----------EnableESSwithSupportedPeripherals
 -------DeviceUnlock
 ----------GroupA
 ----------GroupB
@ -286,8 +287,6 @@ Boolean value used to enable or disable the use of biometric gestures, such as f
 Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
 Supported operations are Add, Get, Delete, and Replace.
 *Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
@ -305,6 +304,26 @@ Supported operations are Add, Get, Delete, and Replace.
 *Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
 <a href="" id="biometrics-enableESSwithSupportedPeripherals--only-for---device-vendor-msft-"></a>**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT)  
 If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected.
 If you enable this policy it can have the following possible values:
 **0 - Enhanced Sign-in Security Disabled** (not recommended)
 Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again. 
 **1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security)
 Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that Enhanced Sign-in Security does not support, including that of peripheral devices, will be blocked and not available for Windows Hello.
 If you disable or do not configure this policy, Enhanced Sign-in Security is preferred on the device. The behavior will be the same as enabling the policy and setting the value to 1.
 Supported operations are Add, Get, Delete, and Replace.
 *Supported from Windows 11 version 22H2*
 <a href="" id="deviceunlock"></a>**DeviceUnlock** (only for ./Device/Vendor/MSFT)  
 Added in Windows 10, version 1803. Interior node.
@ -551,7 +570,7 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
                <Data>true</Data>
              </Item>
            </Add>
-    <Add>
+            <Add>
              <CmdID>15</CmdID>
              <Item>
                <Target>
@ -566,6 +585,21 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
                <Data>true</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>16</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/Biometrics/EnableESSwithSupportedPeripherals
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>0</Data>
              </Item>
            </Add>
            <Final/> 
          </SyncBody>
        </SyncML>
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@ -253,8 +253,8 @@ Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exch
 ### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
 Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller for some scenarios:
- The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device
+- The first sign-in or unlock with Windows Hello for Business after provisioning
- When attempting to access an on-premises resource from an Azure AD joined device
+- When attempting to access an on-premises resource from a Hybrid Azure AD joined device
 ### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@ -1,12 +1,13 @@
 ---
-title: BitLocker recovery guide (Windows 10)
+title: BitLocker recovery guide
-description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
+description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
-ms.reviewer:
+ms.prod: windows-client
-ms.prod: m365-security
+ms.technology: itpro-security
 ms.localizationpriority: medium
-author: dansimp
+author: frankroj
-ms.author: dansimp
+ms.author: frankroj
-manager: dansimp
+ms.reviewer: rafals
 manager: aaroncz
 ms.collection:
  - M365-security-compliance
  - highpri
@ -21,11 +22,11 @@ ms.custom: bitlocker
 - Windows 10
 - Windows 11
- Windows Server 2016 and above
+- Windows Server 2016 and later
-This article for IT professionals describes how to recover BitLocker keys from AD DS.
+This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
-Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
+Organizations can use BitLocker recovery information saved in AD DS to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
 This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
@ -45,7 +46,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
 - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
 - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
 - Failing to boot from a network drive before booting from the hard drive.
@ -280,8 +281,14 @@ This error might occur if you updated the firmware. As a best practice, you shou
 ## Windows RE and BitLocker Device Encryption
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
 Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
 The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
 To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**.
 To activate the on-screen keyboard, tap on a text input control.
 ## BitLocker recovery screen
--- a/windows/security/information-protection/bitlocker/images/bl-narrator.png
+++ b/windows/security/information-protection/bitlocker/images/bl-narrator.png