deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-09-15 13:46:13 -04:00
parent b74bd03ad0
commit e99f902015
9 changed files with 10 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
includes/licensing/_edition-requirements.md
View File

@ -83,8 +83,8 @@ ms.topic: include
|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business passwordless](/windows/security/identity-protection/hello-for-business/passwordless)**|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|

2
includes/licensing/_licensing-requirements.md
View File

@ -83,8 +83,8 @@ ms.topic: include
|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business passwordless](/windows/security/identity-protection/hello-for-business/passwordless)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|

4
includes/licensing/windows-hello-for-business-passwordless.md → includes/licensing/windows-passwordless-experience.md
View File

@ -7,13 +7,13 @@ ms.topic: include
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows Hello for Business passwordless:
The following table lists the Windows editions that support Windows Hello passwordless experience:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows Hello for Business passwordless license entitlements are granted by the following licenses:
Windows passwordless experience license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

140
windows/security/identity-protection/hello-for-business/passwordless.md
View File

@ -1,140 +0,0 @@
---
title: Windows Hello for Business passwordless
description: Learn how Windows Hello for Business passwordless enables your organization to move away from passwords.
ms.collection:
- highpri
- tier1
ms.date: 09/11/2023
ms.topic: how-to
---
# Windows Hello for Business passwordless
## Overview
Starting in Windows 11, version 22H2 with [KB5030310][KB-1], *Windows Hello for Business passwordless* is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.\
When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
With Windows Hello for Business passwordless, users who sign in with Windows Hello or a FIDO2 security key:
- Can't use the password credential provider on the Windows lock screen
- Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
- Don't have the option *Accounts > Change password* in the Settings app
>[!NOTE]
>Users can reset their password using <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DEL</kbd> > **Manage your account**
Windows Hello for Business passwordless doesn't affect the initial sign-in experience and local accounts. It only applies to subsequent sign-ins for Microsoft Entra ID accounts. It also doesn't prevent a user from signing in with a password when using the *Other user* option in the lock screen.\
The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows Hello for Business passwordless isn't about preventing users from using passwords, rather to guide and educate them to not use passwords.
This article explains how to enable Windows Hello for Business passwordless and describes the user experiences.
>[!TIP]
> Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see [Web sign-in for Windows devices](../web-sign-in/index.md).
## System requirements
Windows Hello for Business passwordless has the following requirements:
- Windows 11, version 22H2 with [KB5030310][KB-1] or later
- Microsoft Entra joined
- Windows Hello for Busines credentials enrolled for the user, or a FIDO2 security key
- MDM-managed: Microsoft Intune or other MDM solution
>[!NOTE]
>Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
[!INCLUDE [windows-hello-for-business-passwordless](../../../../includes/licensing/windows-hello-for-business-passwordless.md)]
## Enable Windows Hello for Business passwordless with Intune
[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| **Authentication** | Enable Passwordless Experience | Enabled |
[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-2] with the [Policy CSP][CSP-1].
| Setting |
|--------|
| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience`<br>- **Data type:** int<br>- **Value:** `1`|
## User experiences
### Lock screen experience
:::row:::
:::column span="3":::
**Passwordless experience turned off**: users can sign in using a password, as indicated by the presence of the password credential provider :::image type="icon" source="images/passwordless/key-credential-provider.svg" border="false"::: in the Windows lock screen.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/passwordless/lock-screen-off.png" lightbox="images/passwordless/lock-screen-off.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers.":::
:::column-end:::
:::row-end:::
:::row:::
:::column span="3":::
**Passwordless experience turned on**: the password credential provider :::image type="icon" source="images/passwordless/key-credential-provider.svg" border="false"::: is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the *Other user* option to sign in with a password.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/passwordless/lock-screen-on.png" lightbox="images/passwordless/lock-screen-on.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint and PIN credential providers only. The password credential provider is missing.":::
:::column-end:::
:::row-end:::
### In-session authentication experiences
When Windows Hello for Business passwordless is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include:
- Password Manager in a web browser
- Connecting to file shares or intranet sites
- User Account Control (UAC) elevation, except if a local user account is used for elevation
>[!NOTE]
> RDP sign in defaults to the credential provider used during sign-in. However, a user can select the option *Use a different account* to sign in with a password.
>
> *Run as different user* is not impacted by Windows Hello for Business passwordless.
Example of UAC elevation experience:
:::row:::
:::column span="3":::
**Passwordless experience turned off**: UAC elevation allows the user to authenticate using a password.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/passwordless/uac-off.png" lightbox="images/passwordless/uac-off.png" alt-text="Screenshot of the UAC prompt showing username and password fields.":::
:::column-end:::
:::row-end:::
:::row:::
:::column span="3":::
**Passwordless experience turned on**: UAC elevation doesn't allow the user to use the password credential provider for the currently logged on user. The user can authenticate using Windows Hello, a FIDO2 security key or a local user account, if available.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/passwordless/uac-on.png" lightbox="images/passwordless/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only.":::
:::column-end:::
:::row-end:::
## Recommendations
Here's a list of recommendations to consider before enabling Windows Hello for Business passwordless:
- If Windows Hello for Business is enabled, configure the [PIN reset](hello-feature-pin-reset.md) feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with [KB5030310][KB-1]
- Don't configure the security policy *Interactive logon: Don't display last signed-in*, as it prevents Windows Hello for Business passwordless from working
- Don't disable the password credential provider using the *Exclude credential providers* policy. The key differences between the two policies are:
- The Exclude credential providers policy disables passwords for *all accounts*, including local accounts. Windows Hello for Business passwordless only applies to Microsoft Entra ID accounts that sign in with Windows Hello or a FIDO2 security key. It also excludes *Other User* from the policy, so users have a backup sign in option
- Exclude credential providers policy prevents the use of passwords for RDP and *Run as* authentication scenarios
- To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the [Windows Local Administrator Password Solution (LAPS)][SERV-1]
## Provide feedback
To provide feedback for Windows Hello for Business passwordless, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
<!--links used in this document-->
[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
[INT-2]: /mem/intune/configuration/custom-settings-windows-10
[KB-1]: https://support.microsoft.com/kb/5030310
[SERV-1]: /windows-server/identity/laps/laps-overview
[UAC-1]: /windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=intune

2
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -108,8 +108,6 @@ items:
href: hello-and-password-changes.md
- name: Windows Hello for Business features
items:
- name: Passwordless
href: passwordless.md
- name: PIN reset
href: hello-feature-pin-reset.md
- name: Dual enrollment

2
windows/security/identity-protection/passkey/index.md
View File

@ -12,8 +12,6 @@ appliesto:
# Passkey support in Windows
## Overview
Passkeys provide a more secure and convenient method of logging into websites and applications that support them, compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can be unlocked using the device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign in challenges, making the authentication process faster and more convenient.
Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use any apps or websites that support passkeys to create and sign in using passkeys with the Windows Hello native experience. Once a passkey is created, you can use Windows Hello (biometrics and PIN) or a companion device (phone or tablet) to sign in.

6
windows/security/identity-protection/passwordless-experience/index.md
View File

@ -10,8 +10,6 @@ ms.topic: how-to
# Windows passwordless experience
## Overview
Starting in Windows 11, version 22H2 with [KB5030310][KB-1], *Windows passwordless experience* is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.\
When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
@ -44,7 +42,7 @@ Windows passwordless experience has the following requirements:
>[!NOTE]
>Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
[!INCLUDE [windows-hello-for-business-passwordless](../../../../includes/licensing/windows-hello-for-business-passwordless.md)]
[!INCLUDE [windows-passwordless-experience](../../../includes/licensing/windows-passwordless-experience.md)]
## Enable Windows passwordless experience with Intune
@ -128,7 +126,7 @@ Here's a list of recommendations to consider before enabling Windows passwordles
## Known issues
There's a known issue affecting the in-session authentication experience when using FIDO2 security keys, which may offer the option to use a password. The product group is aware of the behavior and is investigating further.
There's a known issue affecting the in-session authentication experience when using FIDO2 security keys, where security keys aren't always an available option. The product group is aware of this behavior and plans to improve this in the future.
## Provide feedback

6
windows/security/identity-protection/web-sign-in/index.md
View File

@ -1,5 +1,5 @@
---
title: Web sign-in for Windows devices
title: Web sign-in for Windows
description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
ms.date: 09/13/2023
ms.topic: how-to
@ -9,7 +9,7 @@ ms.collection:
- tier1
---
# Web sign-in for Windows devices
# Web sign-in for Windows
Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities.
This feature is called *Web sign-in*.
@ -19,7 +19,7 @@ For example, you can sign in with the Microsoft Authenticator app or with a SAML
This article describes how to configure Web sign-in and the supported key scenarios.
## Prerequisites
## System requirements
To use web sign-in, the clients must meet the following prerequisites:

2
windows/security/includes/sections/identity.md
View File

@ -12,7 +12,7 @@ ms.topic: include
| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
| **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in. <br><br>Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more. <br><br>For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
| **[Windows Hello for Business passwordless](/windows/security/identity-protection/hello-for-business/passwordless)** | Windows Hello for Business passwordless is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
| **[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)** | Windows passwordless experience is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
| **[Passkey](/windows/security/identity-protection/passkey)** | Passkeys provide a more secure and convenient method of logging into websites and applications that support them, compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can be unlocked using Windows Hello (biometrics or a PIN). Passkeys are designed to be used without the need for additional login challenges, making the authentication process faster and more convenient.|
| **[Security key (FIDO2)](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |