mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
Merge pull request #5595 from MicrosoftDocs/aljupudi-5358700-branch03
5358700- Batch 03- Windows 11 Update
This commit is contained in:
Diana Hanson
GitHub
commit
edae047bc5
@ -15,31 +15,31 @@ localizationpriority: medium
|
||||
ms.date: 02/15/2019
|
||||
ms.reviewer:
|
||||
---
|
||||
# WebAuthn APIs for password-less authentication on Windows 10
|
||||
# WebAuthn APIs for password-less authentication on Windows
|
||||
|
||||
|
||||
### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can leverage password-less authentication.
|
||||
### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can use password-less authentication.
|
||||
|
||||
Microsoft has long been a proponent to do away with passwords.
|
||||
While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs!
|
||||
These APIs allow Microsoft developer partners and the developer community to leverage Windows Hello and FIDO2 security keys
|
||||
as a password-less authentication mechanism for their applications on Windows 10 devices.
|
||||
These APIs allow Microsoft developer partners and the developer community to use Windows Hello and FIDO2 security keys
|
||||
as a password-less authentication mechanism for their applications on Windows devices.
|
||||
|
||||
#### What does this mean?
|
||||
This opens opportunities for developers or relying parties (RPs) to enable password-less authentication.
|
||||
They can now leverage [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md)
|
||||
This opens opportunities for developers or relying parties (RPs') to enable password-less authentication.
|
||||
They can now use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md)
|
||||
as a password-less multi-factor credential for authentication.
|
||||
<br>
|
||||
Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication
|
||||
and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs site!
|
||||
and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site!
|
||||
<br> <br>
|
||||
The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later
|
||||
and latest versions of other browsers.
|
||||
<br> <br>
|
||||
Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users.
|
||||
Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC and BLE
|
||||
Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE
|
||||
without having to deal with the interaction and management overhead.
|
||||
This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO related messaging.
|
||||
This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging.
|
||||
|
||||
#### Where can developers learn more?
|
||||
The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)
|
||||
@ -20,6 +20,7 @@ ms.reviewer:
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- Hybrid deployment
|
||||
- Key trust
|
||||
|
||||
|
||||
@ -24,10 +24,10 @@ This article lists the infrastructure requirements for the different deployment
|
||||
|
||||
## Cloud Only Deployment
|
||||
|
||||
* Windows 10, version 1511 or later
|
||||
* Windows 10, version 1511 or later, or Windows 11
|
||||
* Microsoft Azure Account
|
||||
* Azure Active Directory
|
||||
* Azure AD Multi-Factor Authentication
|
||||
* Azure AD Multifactor Authentication
|
||||
* Modern Management (Intune or supported third-party MDM), *optional*
|
||||
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
|
||||
|
||||
|
||||
@ -16,10 +16,11 @@ localizationpriority: medium
|
||||
ms.date: 08/19/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
|
||||
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
@ -101,7 +102,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
|
||||
8. Click **Next** on the **Active Directory Federation Service** page.
|
||||
9. Click **Install** to start the role installation.
|
||||
|
||||
## Review
|
||||
## Review to validate
|
||||
|
||||
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
|
||||
* Confirm the AD FS farm uses the correct database configuration.
|
||||
@ -213,7 +214,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th
|
||||
3. In the details pane, click **Configure Device Registration**.
|
||||
4. In the **Configure Device Registration** dialog, click **OK**.
|
||||
|
||||
## Review
|
||||
## Review and validate
|
||||
|
||||
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
|
||||
* Confirm you followed the correct procedures based on the domain controllers used in your deployment
|
||||
|
||||
@ -16,16 +16,17 @@ localizationpriority: medium
|
||||
ms.date: 08/19/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
# Configure Windows Hello for Business Policy settings
|
||||
# Configure Windows Hello for Business Policy settings - Key Trust
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
|
||||
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
|
||||
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
|
||||
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
|
||||
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
|
||||
|
||||
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
|
||||
|
||||
@ -35,7 +36,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs on
|
||||
|
||||
The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
|
||||
|
||||
If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows 10.
|
||||
If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows.
|
||||
|
||||
|
||||
## Create the Windows Hello for Business Group Policy object
|
||||
@ -92,9 +93,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
|
||||
|
||||
### PIN Complexity
|
||||
|
||||
PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
|
||||
PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
|
||||
|
||||
Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
|
||||
Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
|
||||
* Require digits
|
||||
* Require lowercase letters
|
||||
* Maximum PIN length
|
||||
|
||||
@ -16,10 +16,11 @@ localizationpriority: medium
|
||||
ms.date: 08/19/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
# Validate Active Directory prerequisites
|
||||
# Validate Active Directory prerequisites - Key Trust
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
|
||||
@ -16,14 +16,15 @@ localizationpriority: medium
|
||||
ms.date: 08/19/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
# Validate and Deploy Multi-factor Authentication (MFA)
|
||||
# Validate and Deploy Multifactor Authentication (MFA)
|
||||
|
||||
> [!IMPORTANT]
|
||||
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
|
||||
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
|
||||
@ -17,10 +17,11 @@ ms.date: 08/19/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Validate and Configure Public Key Infrastructure
|
||||
# Validate and Configure Public Key Infrastructure - Key Trust
|
||||
|
||||
**Applies to**
|
||||
- Windows 10, version 1703 or later
|
||||
- Windows 11
|
||||
- On-premises deployment
|
||||
- Key trust
|
||||
|
||||
@ -114,7 +115,7 @@ The certificate template is configured to supersede all the certificate template
|
||||
|
||||
### Configure an Internal Web Server Certificate template
|
||||
|
||||
Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
|
||||
Windows clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
|
||||
|
||||
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Manage Windows Hello in your organization (Windows 10)
|
||||
title: Manage Windows Hello in your organization (Windows)
|
||||
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
|
||||
ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
|
||||
ms.reviewer:
|
||||
@ -22,6 +22,7 @@ ms.date: 1/20/2021
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Windows Hello for Business Overview (Windows 10)
|
||||
title: Windows Hello for Business Overview (Windows)
|
||||
ms.reviewer: An overview of Windows Hello for Business
|
||||
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10.
|
||||
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
|
||||
keywords: identity, PIN, biometric, Hello, passport
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -20,6 +20,7 @@ localizationpriority: medium
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
|
||||
|
||||
@ -47,7 +48,7 @@ As an administrator in an enterprise or educational organization, you can create
|
||||
Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
|
||||
|
||||
- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
|
||||
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
|
||||
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11.
|
||||
|
||||
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
|
||||
|
||||
|
||||
@ -21,6 +21,7 @@ ms.reviewer:
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
|
||||
|
||||
@ -145,9 +146,9 @@ Modern management is an emerging device management paradigm that leverages the c
|
||||
|
||||
### Client
|
||||
|
||||
Windows Hello for Business is an exclusive Windows 10 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows 10 and introduced support for new scenarios.
|
||||
Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios.
|
||||
|
||||
Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
|
||||
Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
|
||||
|
||||
|
||||
### Active Directory
|
||||
@ -156,7 +157,7 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
|
||||
|
||||
### Public Key Infrastructure
|
||||
|
||||
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
|
||||
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
|
||||
|
||||
### Cloud
|
||||
|
||||
@ -267,7 +268,7 @@ If you use modern management for both domain and non-domain joined devices, writ
|
||||
|
||||
### Client
|
||||
|
||||
Windows Hello for Business is a feature exclusive to Windows 10. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
|
||||
Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
|
||||
|
||||
If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
|
||||
> [!NOTE]
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Prepare people to use Windows Hello (Windows 10)
|
||||
title: Prepare people to use Windows Hello (Windows)
|
||||
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
|
||||
ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
|
||||
ms.reviewer:
|
||||
@ -22,6 +22,7 @@ ms.date: 08/19/2018
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Windows Hello for Business Videos
|
||||
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10.
|
||||
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
|
||||
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -20,6 +20,7 @@ ms.reviewer:
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
## Overview of Windows Hello for Business and Features
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Why a PIN is better than a password (Windows 10)
|
||||
title: Why a PIN is better than a password (Windows)
|
||||
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
|
||||
ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
|
||||
ms.reviewer:
|
||||
@ -23,6 +23,7 @@ ms.date: 10/23/2017
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
|
||||
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Microsoft-compatible security key
|
||||
description: Learn how a Microsoft-compatible security key for Windows 10 is different (and better) than any other FIDO2 security key.
|
||||
description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
|
||||
keywords: FIDO2, security key, CTAP, Hello, WHFB
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Passwordless Strategy
|
||||
description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10.
|
||||
description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
|
||||
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -25,7 +25,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a
|
||||
|
||||
|
||||
### 1. Develop a password replacement offering
|
||||
Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
|
||||
Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
|
||||
|
||||
Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
|
||||
|
||||
@ -38,7 +38,7 @@ Once the user-visible password surface has been eliminated, your organization ca
|
||||
- the users never change their password
|
||||
- the users do not know their password
|
||||
|
||||
In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
|
||||
In this world, the user signs in to Windows using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
|
||||
|
||||
### 4. Eliminate passwords from the identity directory
|
||||
The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment.
|
||||
@ -139,7 +139,7 @@ The journey to password freedom is to take each work persona through each step o
|
||||
After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process.
|
||||
|
||||
### Passwordless replacement offering (Step 1)
|
||||
The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
|
||||
The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
|
||||
|
||||
#### Identify test users that represent the targeted work persona
|
||||
A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Reset-security-key
|
||||
description: Windows<EFBFBD>10 enables users to sign in to their device using a security key. How to reset a security key
|
||||
description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
|
||||
keywords: FIDO2, security key, CTAP, Microsoft-compatible security key
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -24,14 +24,14 @@ ms.reviewer:
|
||||
>This operation will wipe everything from your security key and reset it to factory defaults.</br> **All data and credentials will be cleared.**
|
||||
|
||||
|
||||
A [Microsoft-compatible security key](./microsoft-compatible-security-key.md) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
|
||||
A [Microsoft-compatible security key](./microsoft-compatible-security-key.md) can be reset via Settings app (Settings > Accounts > Sign-in options > Security key).
|
||||
</br>
|
||||
Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below:
|
||||
|
||||
|
||||
|Security key manufacturer</br> | Reset instructions </br> |
|
||||
| --- | --- |
|
||||
|Yubico | **USB:** Remove and re-insert the security key. When the LED on the security key begins flashing, touch the metal contact <br> **NFC:** Tap the security key on the reader <br>|
|
||||
|Yubico | **USB:** Remove and reinsert the security key. When the LED on the security key begins flashing, touch the metal contact <br> **NFC:** Tap the security key on the reader <br>|
|
||||
|Feitian | Touch the blinking fingerprint sensor twice to reset the key|
|
||||
|HID | Tap the card on the reader twice to reset it |
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user