From 3a2bc2bda5b7e6701dac1efae6d4ebe6beab9907 Mon Sep 17 00:00:00 2001 From: Jay Simmons Date: Wed, 29 Jun 2022 10:45:41 -0700 Subject: [PATCH 01/10] Add new LAPS CSP documentation --- ...onfiguration-service-provider-reference.md | 12 + windows/client-management/mdm/laps-csp.md | 757 ++++++++++++++++++ .../client-management/mdm/laps-ddf-file.md | 654 +++++++++++++++ windows/client-management/mdm/toc.yml | 5 + 4 files changed, 1428 insertions(+) create mode 100644 windows/client-management/mdm/laps-csp.md create mode 100644 windows/client-management/mdm/laps-ddf-file.md diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 6c7adbc949..d3f495c04a 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -531,6 +531,18 @@ Additional lists: + +[Local Administrator Password Solution CSP](laps-csp.md) + + + +|Home|Pro|Business|Enterprise|Education| +|--- |--- |--- |--- |--- | +|Yes|Yes|Yes|Yes|Yes| + + + + [MultiSIM CSP](multisim-csp.md) diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md new file mode 100644 index 0000000000..c1bb54b8fc --- /dev/null +++ b/windows/client-management/mdm/laps-csp.md @@ -0,0 +1,757 @@ +--- +title: Local Administrator Password Solution CSP +description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords. +ms.author: jsimmons +ms.topic: article +ms.prod: w11 +ms.technology: windows +author: jsimmons +ms.localizationpriority: medium +ms.date: 07/04/2022 +ms.reviewer: jsimmons +manager: jsimmons +--- + +# Local Administrator Password Solution CSP + +The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145. This CSP was added in Windows 11 as of version 25154 (tbd). + +The following example shows the LAPS CSP in tree format. + +```xml +./Device/Vendor/MSFT +LAPS +----Policies +--------BackupDirectory +--------PasswordAgeDays +--------PasswordLength +--------PasswordComplexity +--------PasswordExpirationProtectionEnabled +--------AdministratorAccountName +--------ADPasswordEncryptionEnabled +--------ADPasswordEncryptionPrincipal +--------ADEncryptedPasswordHistorySize +--------PostAuthenticationResetDelay +--------PostAuthenticationActions +----Actions +--------ResetPassword +--------ResetPasswordStatus +``` + +The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2. + +|Setting name|Azure-joined|Hybrid-joined| +|---|---|---| +|BackupDirectory|Yes|Yes +|PasswordAgeDays|Yes|Yes +|PasswordLength|Yes|Yes| +|PasswordComplexity|Yes|Yes| +|PasswordExpirationProtectionEnabled|No|Yes| +|AdministratorAccountName|Yes|Yes| +|ADPasswordEncryptionEnabled|No|Yes| +|ADPasswordEncryptionPrincipal|No|Yes| +|ADEncryptedPasswordHistorySize|No|Yes| +|PostAuthenticationResetDelay|Yes|Yes| +|PostAuthenticationActions|Yes|Yes| +|ResetPassword|Yes|Yes| +|ResetPasswordStatus|Yes|Yes| + +> [!IMPORTANT] +> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP. However, as long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see xxx reference on LAPS policy configuration. + +## ./Device/Vendor/MSFT/LAPS + +Defines the root node for the LAPS CSP. + + +### Policies + +Defines the interior parent node for all configuration-related settings in the LAPS CSP. + + + +### BackupDirectory + +Allows the administrator to configure which directory the local administrator account password is backed up to. + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + +Data type is integer. Supported operations are Add, Get, Replace, and Delete. + + +The allowable settings are: + +0=Disabled (password won't be backed up) + +1=Back up the password to Azure AD only + +2=Back up the password to Active Directory only + +If not specified, this setting will default to 0 (disabled). + + + + +### PasswordAgeDays + +Use this policy to configure the maximum password age of the managed local administrator account. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +If not specified, this setting will default to 30 days + +This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD. + +This setting has a maximum allowed value of 365 days. + + +Data type is integer. + +Supported operations are Add, Get, Replace, and Delete. + + + +### PasswordComplexity + +Use this setting to configure password complexity of the managed local administrator account. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +The allowable settings are: + +1=Large letters + +2=Large letters + small letters + +3=Large letters + small letters + numbers + +4=Large letters + small letters + numbers + special characters + +If not specified, this setting will default to 4. + +> [!IMPORTANT] +> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always configured to 4. + + +Data type is integer. + +Supported operations are Add, Get, Replace, and Delete. + + + +### PasswordLength + +Use this setting to configure the length of the password of the managed local administrator account. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +If not specified, this setting will default to 14 characters. + +This setting has a minimum allowed value of 8 characters. + +This setting has a maximum allowed value of 64 characters. + + +Data type is integer. + +Supported operations are Add, Get, Replace, and Delete. + + + +### AdministratorAccountName + +Use this setting to configure the name of the managed local administrator account. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). + +If specified, the specified account's password will be managed. + +> [!IMPORTANT] +> If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created. + + +Data type is string. + +Supported operations are Add, Get, Replace, and Delete. + + + +### PasswordExpirationProtectionEnabled + +Use this setting to configure additional enforcement of maximum password age for the managed local administrator account. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +When this setting is set to True, planned password expiration that would result in a password age which is greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy. + +If not specified, this setting defaults to True. + +> [!IMPORTANT] +> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory. + + +Data type is boolean. + +Supported operations are Add, Get, Replace, and Delete. + + + +### ADPasswordEncryptionEnabled + +Use this setting to configure whether the password is encrypted before being stored in Active Directory. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +This setting is ignored if the password is currently being stored in Azure. + +If this setting is set to True, and the Active Directory domain meets the 2016 DFL prerequisite, the password is encrypted before being stored in Active Directory. + +If this setting is missing or set to False, or the Active Directory domain doesn't meet the DFL prerequisite, the password is stored as clear-text in Active Directory. + +If not specified, this setting defaults to False. +> [!IMPORTANT] +> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher. + + +Data type is boolean. + +Supported operations are Add, Get, Replace, and Delete. + + + +### ADPasswordEncryptionPrincipal + +Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +This setting is ignored if the password is currently being stored in Azure. + +If not specified, the password can only be decrypted by the Domain Admins group in the device's domain. + +If specified, the specified user or group will be able to decrypt the password stored in Active Directory. + +If the specified user or group account is invalid the device will fall back to using the Domain Admins group in the device's domain. +> [!IMPORTANT] +> The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include: +> +> "S-1-5-21-2127521184-1604012920-1887927527-35197" +> +> "contoso\LAPSAdmins" +> +> "lapsadmins@contoso.com" +> +> The principal identified (either by SID or user\group name) must exist and be resolvable by the device. + +> [!IMPORTANT] +> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met. + + +Data type is string. + +Supported operations are Add, Get, Replace, and Delete. + + + +### ADEncryptedPasswordHistorySize + +Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +If not specified, this setting will default to 0 passwords (disabled). + +This setting has a minimum allowed value of 0 passwords. + +This setting has a maximum allowed value of 12 passwords. + +> [!IMPORTANT] +> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met. + + +Data type is integer. + +Supported operations are Add, Get, Replace, and Delete. + + + +### PostAuthenticationResetDelay + +Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below). + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +If not specified, this setting will default to 24 hours. + +This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). + +This setting has a maximum allowed value of 24 hours. + + +Data type is integer. + +Supported operations are Add, Get, Replace, and Delete. + + + +### PostAuthenticationActions + +Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above). + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +This setting can have ONE of the following values: + +|Value|Name|Action(s) taken upon expiry of the grace period| +|--- |--- |--- | +|1|Reset password|The managed account password will be reset| +|3|Reset password and log off|The managed account password will be reset and any interactive logon sessions using the managed account will be terminated| +|5|Reset password and reboot|The managed account password will be reset and the managed device will be immediately rebooted.| + +If not specified, this setting will default to 3. + +> [!IMPORTANT] +> The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss. + +> [!IMPORTANT] +> From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password has the ability to prevent or circumvent these mechanisms. + + +Data type is integer. + +Supported operations are Add, Get, Replace, and Delete. + + + +## Actions + +Defines the parent interior node for all action-related settings in the LAPS CSP. + + + +### ResetPassword + +Use this Execute action to request an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + + + + +Data type is integer. + +Supported operations are Execute. + + + +### ResetPasswordStatus + +Use this setting to query the status of the last submitted ResetPassword action. + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + + +The value returned is an HRESULT code. + +S_OK (0x0) - the last submitted ResetPassword action succeeded. + +E_PENDING (0x8000000) - the last submitted ResetPassword action is still executing. + +other - the last submitted ResetPassword action encountered the returned error. + + +Data type is integer. + +Supported operations are Get. + + +### SyncML examples + +The following examples are provided to show proper format and shouldn't be taken as a recommendation. + +#### Azure-joined device backing password up to Azure AD + +This example is configuring an Azure-joined device to back up its password to Azure Active Directory: + +```xml + + + + 1 + + + ./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory + + + int + text/plain + + 1 + + + + 2 + + + ./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays + + + int + text/plain + + 7 + + + + 3 + + + ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity + + + int + text/plain + + 4 + + + + 4 + + + ./Device/Vendor/MSFT/LAPS/Policies/PasswordLength + + + int + text/plain + + 32 + + + + 5 + + + ./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName + + + chr + text/plain + + ContosoLocalLapsAdmin + + + + 6 + + + ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay + + + int + text/plain + + 8 + + + + 7 + + + ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions + + + int + text/plain + + 3 + + <Final/> + +``` + +#### Hybrid-joined device backing password up to Active Directory + +This example is configuring a hybrid device to back up its password to Active Directory with password encryption enabled: + +```xml + + + + 1 + + + ./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory + + + int + text/plain + + 2 + + + + 2 + + + ./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays + + + int + text/plain + + 20 + + + + 3 + + + ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity + + + int + text/plain + + 3 + + + + 4 + + + ./Device/Vendor/MSFT/LAPS/Policies/PasswordLength + + + int + text/plain + + 14 + + + + 5 + + + ./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName + + + chr + text/plain + + ContosoLocalLapsAdmin + + + + 6 + + + ./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled + + + bool + text/plain + + True + + + + 7 + + + ./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled + + + bool + text/plain + + True + + + + 8 + + + ./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal + + + chr + text/plain + + LAPSAdmins@contoso.com + + + + 9 + + + ./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize + + + int + text/plain + + 6 + + + + 10 + + + ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay + + + int + text/plain + + 4 + + + + 11 + + + ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions + + + int + text/plain + + 5 + + <Final/> + +``` + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md new file mode 100644 index 0000000000..dcd69ca70c --- /dev/null +++ b/windows/client-management/mdm/laps-ddf-file.md @@ -0,0 +1,654 @@ +--- +title: LAPS DDF file +description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider. +ms.author: jsimmons +ms.topic: article +ms.prod: w11 +ms.technology: windows +author: jsimmons +ms.localizationpriority: medium +ms.date: 07/04/2022 +ms.reviewer: jsimmons +manager: jsimmons +--- + +# Local Administrator Password Solution DDF file + +This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is the current version for this CSP. + +```xml + + + + + 1.2 + "%windir%\system32\LapsCSP.dll + + {298a6f17-03e7-4bd4-971c-544f359527b7} + + LAPS + ./Device/Vendor/MSFT + + + + + The root node for the LAPS configuration service provider. + + + + + + + + + + + + + + 99.9.99999 + 1.0 + + + + + + + Policies + + + + + Root node for LAPS policies. + + + + + + + + + + Policies + + + + + + + BackupDirectory + + + + + + + + 0 + Use this setting to configure which directory the local admin account password is backed up to. + +The allowable settings are: + +0=Disabled (password will not be backed up) +1=Backup the password to Azure AD only +2=Backup the password to Active Directory only + +If not specified, this setting will default to 0. + + + + + + + + + + + text/plain + + + + 0 + Disabled (password will not be backed up) + + + 1 + Backup the password to Azure AD only + + + 2 + Backup the password to Active Directory only + + + + + + PasswordAgeDays + + + + + + + + 30 + Use this policy to configure the maximum password age of the managed local administrator account. + +If not specified, this setting will default to 30 days + +This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD. + +This setting has a maximum allowed value of 365 days. + + + + + + + + + + + text/plain + + + [1-365] + + + + + [7-365] + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 1 + BackupDirectory configured to Azure AD + + + + + + + + + PasswordComplexity + + + + + + + + 4 + Use this setting to configure password complexity of the managed local administrator account. + +The allowable settings are: + +1=Large letters +2=Large letters + small letters +3=Large letters + small letters + numbers +4=Large letters + small letters + numbers + special characters + +If not specified, this setting will default to 4. + + + + + + + + + + + text/plain + + + + 1 + Large letters + + + 2 + Large letters + small letters + + + 3 + Large letters + small letters + numbers + + + 4 + Large letters + small letters + numbers + special characters + + + + + + PasswordLength + + + + + + + + 14 + Use this setting to configure the length of the password of the managed local administrator account. + +If not specified, this setting will default to 14 characters. + +This setting has a minimum allowed value of 8 characters. + +This setting has a maximum allowed value of 64 characters. + + + + + + + + + + + text/plain + + + [8-64] + + + + + AdministratorAccountName + + + + + + + + Use this setting to configure the name of the managed local administrator account. + +If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). + +If specified, the specified account's password will be managed. + +Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created. + + + + + + + + + + + text/plain + + + + + PasswordExpirationProtectionEnabled + + + + + + + + True + Use this setting to configure additional enforcement of maximum password age for the managed local administrator account. + +When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy. + +If not specified, this setting defaults to True. + + + + + + + + + + + text/plain + + + + false + Allow configured password expiriration timestamp to exceed maximum password age + + + true + Do not allow configured password expiriration timestamp to exceed maximum password age + + + + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + ADPasswordEncryptionEnabled + + + + + + + + False + Use this setting to configure whether the password is encrypted before being stored in Active Directory. + +This setting is ignored if the password is currently being stored in Azure. + +This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher. + +If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory. + +If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory. + +If not specified, this setting defaults to False. + + + + + + + + + + + text/plain + + + + false + Store the password in clear-text form in Active Directory + + + true + Store the password in encrypted form in Active Directory + + + + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + ADPasswordEncryptionPrincipal + + + + + + + + Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory. + +This setting is ignored if the password is currently being stored in Azure. + +If not specified, the password will be decryptable by the Domain Admins group in the device's domain. + +If specified, the specified user or group will be able to decrypt the password stored in Active Directory. + +If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain. + + + + + + + + + + + text/plain + + + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + ADEncryptedPasswordHistorySize + + + + + + + + 0 + Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory. + +If not specified, this setting will default to 0 passwords (disabled). + +This setting has a minimum allowed value of 0 passwords. + +This setting has a maximum allowed value of 12 passwords. + + + + + + + + + + + text/plain + + + [0-12] + + + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + PostAuthenticationResetDelay + + + + + + + + 24 + Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. + + If not specified, this setting will default to 24 hours. + + This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). + + This setting has a maximum allowed value of 24 hours. + + + + + + + + + + + text/plain + + + [0-24] + + + + + PostAuthenticationActions + + + + + + + + 3 + Use this setting to specify the actions to take upon expiration of the configured grace period. + +If not specified, this setting will default to 3 (Reset the password and logoff the managed account). + + + + + + + + + + + + text/plain + + + + 1 + Reset password: upon expiry of the grace period, the managed account password will be reset. + + + 3 + Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. + + + 5 + Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. + + + + + + + Actions + + + + + + + + + + + + + + Actions + + + + + + ResetPassword + + + + + Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account. + + + + + + + + + + + text/plain + + + + + + ResetPasswordStatus + + + + + 0 + Use this setting to query the status of the last submitted ResetPassword execute action. + + + + + + + + + + ResetPasswordStatus + + text/plain + + + + + + + + +``` + +## Related articles + +[LAPS configuration service provider](laps-csp.md) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index a95c47c94f..15cf32cc9a 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -294,6 +294,11 @@ items: items: - name: HealthAttestation DDF href: healthattestation-ddf.md + - name: Local Administrator Password Solution CSP + href: laps-csp.md + items: + - name: Local Administrator Password Solution DDF + href: laps-ddf.md - name: MultiSIM CSP href: multisim-csp.md items: From dd755e9b90f2c05f0e435035068e927ee5f1e803 Mon Sep 17 00:00:00 2001 From: Jay Simmons Date: Wed, 29 Jun 2022 10:49:27 -0700 Subject: [PATCH 02/10] Fix broken file name reference. --- windows/client-management/mdm/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 15cf32cc9a..b1194e3705 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -298,7 +298,7 @@ items: href: laps-csp.md items: - name: Local Administrator Password Solution DDF - href: laps-ddf.md + href: laps-ddf-file.md - name: MultiSIM CSP href: multisim-csp.md items: From bab6abe6f89cec9b504993794b6510863207c5d1 Mon Sep 17 00:00:00 2001 From: Jay Simmons Date: Wed, 29 Jun 2022 10:57:47 -0700 Subject: [PATCH 03/10] Fix minor bugs, make Acrolinx more happy. --- windows/client-management/mdm/laps-csp.md | 32 +++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md index c1bb54b8fc..6b07c43200 100644 --- a/windows/client-management/mdm/laps-csp.md +++ b/windows/client-management/mdm/laps-csp.md @@ -14,7 +14,7 @@ manager: jsimmons # Local Administrator Password Solution CSP -The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145. This CSP was added in Windows 11 as of version 25154 (tbd). +The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145. The following example shows the LAPS CSP in tree format. @@ -57,7 +57,7 @@ The LAPS CSP can be used to manage devices that are either joined to Azure AD or |ResetPasswordStatus|Yes|Yes| > [!IMPORTANT] -> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP. However, as long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see xxx reference on LAPS policy configuration. +> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see the TBD reference on LAPS policy configuration. ## ./Device/Vendor/MSFT/LAPS @@ -89,11 +89,11 @@ Data type is integer. Supported operations are Add, Get, Replace, and Delete. The allowable settings are: -0=Disabled (password won't be backed up) - -1=Back up the password to Azure AD only - -2=Back up the password to Active Directory only +|Value|Description of setting| +|--- |--- | +|0|Disabled (password won't be backed up)| +|1|Back up the password to Azure AD only| +|2|Back up the password to Active Directory only| If not specified, this setting will default to 0 (disabled). @@ -147,18 +147,18 @@ Use this setting to configure password complexity of the managed local administr The allowable settings are: -1=Large letters +|Value|Description of setting| +|--- |--- | +|1|Large letters| +|2|Large letters + small letters| +|3|Large letters + small letters + numbers| +|4|Large letters + small letters + numbers + special characters| -2=Large letters + small letters - -3=Large letters + small letters + numbers - -4=Large letters + small letters + numbers + special characters If not specified, this setting will default to 4. > [!IMPORTANT] -> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always configured to 4. +> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4. Data type is integer. @@ -242,7 +242,7 @@ Use this setting to configure additional enforcement of maximum password age for -When this setting is set to True, planned password expiration that would result in a password age which is greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy. +When this setting is set to True, planned password expiration that would result in a password age greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy. If not specified, this setting defaults to True. @@ -424,7 +424,7 @@ If not specified, this setting will default to 3. > The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss. > [!IMPORTANT] -> From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password has the ability to prevent or circumvent these mechanisms. +> From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms. Data type is integer. From 1b0077fb23044904f6acdf8d24e8cdc038d7838c Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 8 Sep 2022 15:03:17 -0400 Subject: [PATCH 04/10] Update toc.yml --- windows/client-management/mdm/toc.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index f4082ac119..a10432d24d 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -299,11 +299,11 @@ items: items: - name: HealthAttestation DDF href: healthattestation-ddf.md - - name: Local Administrator Password Solution CSP - href: laps-csp.md - items: - - name: Local Administrator Password Solution DDF - href: laps-ddf-file.md + - name: Local Administrator Password Solution CSP + href: laps-csp.md + items: + - name: Local Administrator Password Solution DDF + href: laps-ddf-file.md - name: MultiSIM CSP href: multisim-csp.md items: @@ -981,4 +981,4 @@ items: href: wirednetwork-csp.md items: - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md \ No newline at end of file + href: wirednetwork-ddf-file.md From 1aaad4ee2d77a4e610abdd540dfd8268f60e7edb Mon Sep 17 00:00:00 2001 From: Jay Simmons Date: Mon, 19 Sep 2022 14:19:32 -0700 Subject: [PATCH 05/10] Add platform availability disclaimer (matches mainline LAPS docs disclaimer) --- windows/client-management/mdm/laps-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md index 6b07c43200..f69dfcb4d0 100644 --- a/windows/client-management/mdm/laps-csp.md +++ b/windows/client-management/mdm/laps-csp.md @@ -16,6 +16,9 @@ manager: jsimmons The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145. +> [!IMPORTANT] +> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders. + The following example shows the LAPS CSP in tree format. ```xml From 08614f08bf32dcb35aea8a1b9b27e43098f8aed4 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 20 Sep 2022 10:52:24 -0400 Subject: [PATCH 06/10] tabbed xp --- .../hello-hybrid-cloud-kerberos-trust.md | 113 +- .../images/icons/group-policy.svg | 2890 ++++++++++++++++ .../images/icons/intune.svg | 2953 +++++++++++++++++ 3 files changed, 5899 insertions(+), 57 deletions(-) create mode 100644 windows/security/identity-protection/hello-for-business/images/icons/group-policy.svg create mode 100644 windows/security/identity-protection/hello-for-business/images/icons/intune.svg diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 4af8090b66..25762260c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -26,12 +26,12 @@ The goal of the Windows Hello for Business cloud Kerberos trust is to bring the Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model: -- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI. -- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate. -- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup. +- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI +- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate +- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup > [!NOTE] -> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. +> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. ## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication @@ -50,7 +50,7 @@ If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ens | Requirement | Notes | | --- | --- | | Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. | -| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | +| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | | Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. | | Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).| | Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | @@ -85,54 +85,15 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl ### Configure Windows Hello for Business Policy -After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled using policy. By default, cloud Kerberos trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices. +After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). -#### Configure Using Group Policy - -Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. - -The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. - -> [!NOTE] -> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) - -##### Update Group Policy Objects - -You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files. - -You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). - -##### Create the Windows Hello for Business Group Policy object - -Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc). -1. Expand the domain and select the **Group Policy Object** node in the navigation pane. -1. Right-click **Group Policy object** and select **New**. -1. Type *Enable Windows Hello for Business* in the name box and click **OK**. -1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -1. In the navigation pane, expand **Policies** under **Device Configuration**. -1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -1. In the content pane, double-click **Use cloud Kerberos trust for on-premises authentication**. Click **Enable** and click **OK**. -1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**. - -This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business. - -> [!Important] -> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled. - -#### Configure Using Intune +#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices. The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business. -##### Create a user Group that will be targeted for Windows Hello for Business +### Create a user Group that will be targeted for Windows Hello for Business If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step. @@ -146,7 +107,7 @@ If you have an existing group you want to target with Windows Hello for Business You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center. -##### Enable Windows Hello for Business +### Enable Windows Hello for Business If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud Kerberos trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy. @@ -170,7 +131,7 @@ You can also follow these steps to create a device configuration policy instead Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog). -##### Configure Cloud Kerberos Trust policy +### Configure Cloud Kerberos Trust policy To configure the cloud Kerberos trust policy, follow the steps below: @@ -181,15 +142,12 @@ To configure the cloud Kerberos trust policy, follow the steps below: 1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust". 1. In Configuration Settings, add a new configuration with the following settings: - - Name: "Windows Hello for Business cloud Kerberos trust" or another familiar name - - Description: Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO. - - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/UseCloudTrustForOnPremAuth +| Setting | +|--------| +|
  • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
  • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
  • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`**`/Policies/UseCloudTrustForOnPremAuth`**
  • Data type: **Boolean**
  • Value: **True**
    • | - >[!IMPORTANT] - >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID. - - - Data type: Boolean - - Value: True +>[!IMPORTANT] +>*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID. [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) @@ -202,6 +160,47 @@ To configure the cloud Kerberos trust policy, follow the steps below: > [!Important] > If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled. +#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo) + +Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. + +The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. + +> [!NOTE] +> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) + +#### Update Group Policy Objects + +You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files. + +You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). + +#### Create the Windows Hello for Business Group Policy object + +Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc). +1. Expand the domain and select the **Group Policy Object** node in the navigation pane. +1. Right-click **Group Policy object** and select **New**. +1. Type *Enable Windows Hello for Business* in the name box and click **OK**. +1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +1. In the navigation pane, expand **Policies** under **Device Configuration**. +1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +1. In the content pane, double-click **Use cloud Kerberos trust for on-premises authentication**. Click **Enable** and click **OK**. +1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**. + +This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business. + +> [!Important] +> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled. + +--- + ## Provisioning The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud Kerberos trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy. diff --git a/windows/security/identity-protection/hello-for-business/images/icons/group-policy.svg b/windows/security/identity-protection/hello-for-business/images/icons/group-policy.svg new file mode 100644 index 0000000000..9fad2d6c4a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/icons/group-policy.svg @@ -0,0 +1,2890 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + windows-docs-pr/group-policy.svg at release-win11-22h2 · MicrosoftDocs/windows-docs-pr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + Skip to content + + + + + + + + + + + + + + +
    + +
    + + + + + + + +
    + + + + + +
    + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + +
    + +
    + + + + MicrosoftDocs  /   + windows-docs-pr  /   + +
    +
    + + + +
    + + +
    +
    + Clear Command Palette +
    +     + + + +
    +
    + Tip: + Type # to search pull requests +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type # to search issues +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type # to search discussions +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type ! to search projects +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type @ to search teams +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type @ to search people and organizations +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type > to activate command mode +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Go to your accessibility settings to change your keyboard shortcuts +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type author:@me to search your content +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type is:pr to filter to pull requests +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type is:issue to filter to issues +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type is:project to filter to projects +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type is:open to filter to open content +
    +
    + Type ? for help and tips +
    +
    +     + +
    + +
    +
    + We’ve encountered an error and some results aren't available at this time. Type a new search or try again later. +
    +     + + No results matched your search + + + + + + + + + + +     + + + + + Search for issues and pull requests + + # + + + + Search for issues, pull requests, discussions, and projects + + # + + + + Search for organizations, repositories, and users + + @ + + + + Search for projects + + ! + + + + Search for files + + / + + + + Activate command mode + + > + + + + Search your issues, pull requests, and discussions + + # author:@me + + + + Search your issues, pull requests, and discussions + + # author:@me + + + + Filter to pull requests + + # is:pr + + + + Filter to issues + + # is:issue + + + + Filter to discussions + + # is:discussion + + + + Filter to projects + + # is:project + + + + Filter to open issues, pull requests, and discussions + + # is:open + + + + + + + + + + + + + + + + +     +     +
    + +
    + + + + + + + + + + +
    + + +
    +
    +
    + + + + + + + + + + + + +
    + +
    + +
    +
    + + + + / + + windows-docs-pr + + + Private +
    + +
    + +
      + + + +
    • + +
      + + + + + + + Watch + + + 37 + + + +
      +
      +

      Notifications

      + +
      + +
      +
      + + + + + + + + +
      + + +
      +
      +       + + + + +
      +
      +       + + + +
      • + +
    • + +
      + Fork + 173 + +
      + + + +
      + +
      +
      + + + + + + + +
      + +
      +
      +       +
      +
      • + +
    • + + +
      +
      + + +
      +
      + +
      + + + +
      + +
      +
      + + + + + + + +
      + +
      +
      +       +
      +
      +
      • + + + +
    + +
    + +
    +
    + + + + +
    + + + + + +
    + Open in github.dev + Open in a new github.dev tab + + + + + + +
    + + +
    + + + + + + + + +Permalink + +
    + +
    +
    + + + release-win11-… + + + + +
    +
    +
    + Switch branches/tags + +
    + + + +
    + +
    + +
    + + +
    + +
    + + + + + + + + + + + + + + + +
    + + +     +     +
    +
    + +
    + +
    + +

    + windows-docs-pr/education/windows/images/icons/group-policy.svg +

    + Go to file + +
    + + + + +
      +
    • + + Go to file + +
      • +
    • +
      • +
    • +
    • + + + Copy path + +
      • +
    • + + + + Copy permalink + + +
      • +
    +
    +
    + + + + + + + + + +
    + +
    +
    +
     
    +
    + +
    +
     
    + Cannot retrieve contributors at this time +
    +
    + + + + + + + + + + + + + +
    + +
    + + +
    + + + 3 lines (3 sloc) + + 1.14 KB +
    + +
    +
    + + +
    + + +
    + Raw + Blame +
    + +
    + +
    +
    +
    +
    + +
    +
    +
    +
    +
    + +
    Open in github.dev
    +
    .
    +     + + Open in GitHub Desktop +
    +
    +
    +
    +
    + + + +
    + + + + + + + + + +
    + + +
    + +
    +
    + +
    +
    + + + + + +
    +
    +
    + + + +
    + +
    +
    + +
    Sorry, something went wrong. Reload?
    +
    Sorry, we cannot display this file.
    +
    Sorry, this file is invalid so it cannot be displayed.
    + +
    +
    + +
    + +
    + + + + +
    + + +
    + + +
     +
    + + +
    + +
    + + +
    + +     + + +
    +
    + +
    + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/hello-for-business/images/icons/intune.svg b/windows/security/identity-protection/hello-for-business/images/icons/intune.svg new file mode 100644 index 0000000000..151f5859ff --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/icons/intune.svg @@ -0,0 +1,2953 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + windows-docs-pr/intune.svg at release-win11-22h2 · MicrosoftDocs/windows-docs-pr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + Skip to content + + + + + + + + + + + + + + +
    + +
    + + + + + + + +
    + + + + + +
    + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + +
    + +
    + + + + MicrosoftDocs  /   + windows-docs-pr  /   + +
    +
    + + + +
    + + +
    +
    + Clear Command Palette +
    +     + + + +
    +
    + Tip: + Type # to search pull requests +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type # to search issues +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type # to search discussions +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type ! to search projects +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type @ to search teams +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type @ to search people and organizations +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type > to activate command mode +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Go to your accessibility settings to change your keyboard shortcuts +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type author:@me to search your content +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type is:pr to filter to pull requests +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type is:issue to filter to issues +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type is:project to filter to projects +
    +
    + Type ? for help and tips +
    +
    +     + +
    +
    + Tip: + Type is:open to filter to open content +
    +
    + Type ? for help and tips +
    +
    +     + +
    + +
    +
    + We’ve encountered an error and some results aren't available at this time. Type a new search or try again later. +
    +     + + No results matched your search + + + + + + + + + + +     + + + + + Search for issues and pull requests + + # + + + + Search for issues, pull requests, discussions, and projects + + # + + + + Search for organizations, repositories, and users + + @ + + + + Search for projects + + ! + + + + Search for files + + / + + + + Activate command mode + + > + + + + Search your issues, pull requests, and discussions + + # author:@me + + + + Search your issues, pull requests, and discussions + + # author:@me + + + + Filter to pull requests + + # is:pr + + + + Filter to issues + + # is:issue + + + + Filter to discussions + + # is:discussion + + + + Filter to projects + + # is:project + + + + Filter to open issues, pull requests, and discussions + + # is:open + + + + + + + + + + + + + + + + +     +     +
    + +
    + + + + + + + + + + +
    + + +
    +
    +
    + + + + + + + + + + + + +
    + +
    + +
    +
    + + + + / + + windows-docs-pr + + + Private +
    + +
    + +
      + + + +
    • + +
      + + + + + + + Watch + + + 37 + + + +
      +
      +

      Notifications

      + +
      + +
      +
      + + + + + + + + +
      + + +
      +
      +       + + + + +
      +
      +       + + + +
      • + +
    • + +
      + Fork + 173 + +
      + + + +
      + +
      +
      + + + + + + + +
      + +
      +
      +       +
      +
      • + +
    • + + +
      +
      + + +
      +
      + +
      + + + +
      + +
      +
      + + + + + + + +
      + +
      +
      +       +
      +
      +
      • + + + +
    + +
    + +
    +
    + + + + +
    + + + + + +
    + Open in github.dev + Open in a new github.dev tab + + + + + + +
    + + +
    + + + + + + + + +Permalink + +
    + +
    +
    + + + release-win11-… + + + + +
    +
    +
    + Switch branches/tags + +
    + + + +
    + +
    + +
    + + +
    + +
    + + + + + + + + + + + + + + + +
    + + +     +     +
    +
    + +
    + +
    + +

    + windows-docs-pr/education/windows/images/icons/intune.svg +

    + Go to file + +
    + + + + +
      +
    • + + Go to file + +
      • +
    • +
      • +
    • +
    • + + + Copy path + +
      • +
    • + + + + Copy permalink + + +
      • +
    +
    +
    + + + + + + + + + +
    + +
    +
    + + @paolomatarazzo + +
    +
    + paolomatarazzo + + + Minor updates + +
    + + + + + +
    +
    + + Latest commit + 2db6549 + Sep 17, 2022 + + + + + + History + + +
    +
    + +
    + +
    +
    + + + 1 + + contributor + + +
    + +

    + Users who have contributed to this file +

    +
    + + + + + + +     +
    +
    +
    + + + + + + + + + + + + + +
    + +
    + + +
    + + + 24 lines (24 sloc) + + 1.8 KB +
    + +
    +
    + + +
    + + +
    + Raw + Blame +
    + +
    + +
    +
    +
    +
    + +
    +
    +
    +
    +
    + +
    Open in github.dev
    +
    .
    +     + + Open in GitHub Desktop +
    +
    +
    +
    +
    + + + +
    + + + + + + + + + +
    + + +
    + +
    +
    + +
    +
    + + + + + +
    +
    +
    + + + +
    + +
    +
    + +
    Sorry, something went wrong. Reload?
    +
    Sorry, we cannot display this file.
    +
    Sorry, this file is invalid so it cannot be displayed.
    + +
    +
    + +
    + +
    + + + + +
    + + +
    + + +
     +
    + + +
    + +
    + + +
    + +     + + +
    +
    + +
    + + + + + + + + + + + + + + + + + + + + + + From 095c19068b15f0e6bda458f3b6dbe21f3bb9bbd4 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 20 Sep 2022 10:56:47 -0400 Subject: [PATCH 07/10] updates --- images/icons/accessibility.svg | 3 + images/icons/group-policy.svg | 3 + images/icons/intune.svg | 24 + images/icons/powershell.svg | 20 + images/icons/provisioning-package.svg | 3 + images/icons/registry.svg | 22 + images/icons/windows-os.svg | 3 + .../hello-hybrid-cloud-kerberos-trust.md | 4 +- .../images/icons/group-policy.svg | 2890 ---------------- .../images/icons/intune.svg | 2953 ----------------- 10 files changed, 80 insertions(+), 5845 deletions(-) create mode 100644 images/icons/accessibility.svg create mode 100644 images/icons/group-policy.svg create mode 100644 images/icons/intune.svg create mode 100644 images/icons/powershell.svg create mode 100644 images/icons/provisioning-package.svg create mode 100644 images/icons/registry.svg create mode 100644 images/icons/windows-os.svg delete mode 100644 windows/security/identity-protection/hello-for-business/images/icons/group-policy.svg delete mode 100644 windows/security/identity-protection/hello-for-business/images/icons/intune.svg diff --git a/images/icons/accessibility.svg b/images/icons/accessibility.svg new file mode 100644 index 0000000000..21a6b4f235 --- /dev/null +++ b/images/icons/accessibility.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/images/icons/group-policy.svg b/images/icons/group-policy.svg new file mode 100644 index 0000000000..ace95add6b --- /dev/null +++ b/images/icons/group-policy.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/images/icons/intune.svg b/images/icons/intune.svg new file mode 100644 index 0000000000..6e0d938aed --- /dev/null +++ b/images/icons/intune.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + Icon-intune-329 + + + + + + + + \ No newline at end of file diff --git a/images/icons/powershell.svg b/images/icons/powershell.svg new file mode 100644 index 0000000000..ab2d5152ca --- /dev/null +++ b/images/icons/powershell.svg @@ -0,0 +1,20 @@ + + + + + + + + + + MsPortalFx.base.images-10 + + + + + + + + + + \ No newline at end of file diff --git a/images/icons/provisioning-package.svg b/images/icons/provisioning-package.svg new file mode 100644 index 0000000000..dbbad7d780 --- /dev/null +++ b/images/icons/provisioning-package.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/images/icons/registry.svg b/images/icons/registry.svg new file mode 100644 index 0000000000..06ab4c09d7 --- /dev/null +++ b/images/icons/registry.svg @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + + + + Icon-general-18 + + + \ No newline at end of file diff --git a/images/icons/windows-os.svg b/images/icons/windows-os.svg new file mode 100644 index 0000000000..da64baf975 --- /dev/null +++ b/images/icons/windows-os.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 25762260c9..b8c20ad0f1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -87,7 +87,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). -#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) +#### [:::image type="icon" source="../../../../images/icons/intune.svg"::: **Intune**](#tab/intune) Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices. @@ -160,7 +160,7 @@ To configure the cloud Kerberos trust policy, follow the steps below: > [!Important] > If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled. -#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo) +#### [:::image type="icon" source="../../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. diff --git a/windows/security/identity-protection/hello-for-business/images/icons/group-policy.svg b/windows/security/identity-protection/hello-for-business/images/icons/group-policy.svg deleted file mode 100644 index 9fad2d6c4a..0000000000 --- a/windows/security/identity-protection/hello-for-business/images/icons/group-policy.svg +++ /dev/null @@ -1,2890 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - windows-docs-pr/group-policy.svg at release-win11-22h2 · MicrosoftDocs/windows-docs-pr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    - Skip to content - - - - - - - - - - - - - - -
    - -
    - - - - - - - -
    - - - - - -
    - - - - - - - - - - -
    - - - - - - - - - - - - - - - - - - -
    - -
    - - - - MicrosoftDocs  /   - windows-docs-pr  /   - -
    -
    - - - -
    - - -
    -
    - Clear Command Palette -
    -     - - - -
    -
    - Tip: - Type # to search pull requests -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type # to search issues -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type # to search discussions -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type ! to search projects -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type @ to search teams -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type @ to search people and organizations -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type > to activate command mode -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Go to your accessibility settings to change your keyboard shortcuts -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type author:@me to search your content -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type is:pr to filter to pull requests -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type is:issue to filter to issues -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type is:project to filter to projects -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type is:open to filter to open content -
    -
    - Type ? for help and tips -
    -
    -     - -
    - -
    -
    - We’ve encountered an error and some results aren't available at this time. Type a new search or try again later. -
    -     - - No results matched your search - - - - - - - - - - -     - - - - - Search for issues and pull requests - - # - - - - Search for issues, pull requests, discussions, and projects - - # - - - - Search for organizations, repositories, and users - - @ - - - - Search for projects - - ! - - - - Search for files - - / - - - - Activate command mode - - > - - - - Search your issues, pull requests, and discussions - - # author:@me - - - - Search your issues, pull requests, and discussions - - # author:@me - - - - Filter to pull requests - - # is:pr - - - - Filter to issues - - # is:issue - - - - Filter to discussions - - # is:discussion - - - - Filter to projects - - # is:project - - - - Filter to open issues, pull requests, and discussions - - # is:open - - - - - - - - - - - - - - - - -     -     -
    - -
    - - - - - - - - - - -
    - - -
    -
    -
    - - - - - - - - - - - - -
    - -
    - -
    -
    - - - - / - - windows-docs-pr - - - Private -
    - -
    - -
      - - - -
    • - -
      - - - - - - - Watch - - - 37 - - - -
      -
      -

      Notifications

      - -
      - -
      -
      - - - - - - - - -
      - - -
      -
      -       - - - - -
      -
      -       - - - -
      • - -
    • - -
      - Fork - 173 - -
      - - - -
      - -
      -
      - - - - - - - -
      - -
      -
      -       -
      -
      • - -
    • - - -
      -
      - - -
      -
      - -
      - - - -
      - -
      -
      - - - - - - - -
      - -
      -
      -       -
      -
      -
      • - - - -
    - -
    - -
    -
    - - - - -
    - - - - - -
    - Open in github.dev - Open in a new github.dev tab - - - - - - -
    - - -
    - - - - - - - - -Permalink - -
    - -
    -
    - - - release-win11-… - - - - -
    -
    -
    - Switch branches/tags - -
    - - - -
    - -
    - -
    - - -
    - -
    - - - - - - - - - - - - - - - -
    - - -     -     -
    -
    - -
    - -
    - -

    - windows-docs-pr/education/windows/images/icons/group-policy.svg -

    - Go to file - -
    - - - - -
      -
    • - - Go to file - -
      • -
    • -
      • -
    • -
    • - - - Copy path - -
      • -
    • - - - - Copy permalink - - -
      • -
    -
    -
    - - - - - - - - - -
    - -
    -
    -
     
    -
    - -
    -
     
    - Cannot retrieve contributors at this time -
    -
    - - - - - - - - - - - - - -
    - -
    - - -
    - - - 3 lines (3 sloc) - - 1.14 KB -
    - -
    -
    - - -
    - - -
    - Raw - Blame -
    - -
    - -
    -
    -
    -
    - -
    -
    -
    -
    -
    - -
    Open in github.dev
    -
    .
    -     - - Open in GitHub Desktop -
    -
    -
    -
    -
    - - - -
    - - - - - - - - - -
    - - -
    - -
    -
    - -
    -
    - - - - - -
    -
    -
    - - - -
    - -
    -
    - -
    Sorry, something went wrong. Reload?
    -
    Sorry, we cannot display this file.
    -
    Sorry, this file is invalid so it cannot be displayed.
    - -
    -
    - -
    - -
    - - - - -
    - - -
    - - -
     -
    - - -
    - -
    - - -
    - -     - - -
    -
    - -
    - - - - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/identity-protection/hello-for-business/images/icons/intune.svg b/windows/security/identity-protection/hello-for-business/images/icons/intune.svg deleted file mode 100644 index 151f5859ff..0000000000 --- a/windows/security/identity-protection/hello-for-business/images/icons/intune.svg +++ /dev/null @@ -1,2953 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - windows-docs-pr/intune.svg at release-win11-22h2 · MicrosoftDocs/windows-docs-pr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    - Skip to content - - - - - - - - - - - - - - -
    - -
    - - - - - - - -
    - - - - - -
    - - - - - - - - - - -
    - - - - - - - - - - - - - - - - - - -
    - -
    - - - - MicrosoftDocs  /   - windows-docs-pr  /   - -
    -
    - - - -
    - - -
    -
    - Clear Command Palette -
    -     - - - -
    -
    - Tip: - Type # to search pull requests -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type # to search issues -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type # to search discussions -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type ! to search projects -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type @ to search teams -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type @ to search people and organizations -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type > to activate command mode -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Go to your accessibility settings to change your keyboard shortcuts -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type author:@me to search your content -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type is:pr to filter to pull requests -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type is:issue to filter to issues -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type is:project to filter to projects -
    -
    - Type ? for help and tips -
    -
    -     - -
    -
    - Tip: - Type is:open to filter to open content -
    -
    - Type ? for help and tips -
    -
    -     - -
    - -
    -
    - We’ve encountered an error and some results aren't available at this time. Type a new search or try again later. -
    -     - - No results matched your search - - - - - - - - - - -     - - - - - Search for issues and pull requests - - # - - - - Search for issues, pull requests, discussions, and projects - - # - - - - Search for organizations, repositories, and users - - @ - - - - Search for projects - - ! - - - - Search for files - - / - - - - Activate command mode - - > - - - - Search your issues, pull requests, and discussions - - # author:@me - - - - Search your issues, pull requests, and discussions - - # author:@me - - - - Filter to pull requests - - # is:pr - - - - Filter to issues - - # is:issue - - - - Filter to discussions - - # is:discussion - - - - Filter to projects - - # is:project - - - - Filter to open issues, pull requests, and discussions - - # is:open - - - - - - - - - - - - - - - - -     -     -
    - -
    - - - - - - - - - - -
    - - -
    -
    -
    - - - - - - - - - - - - -
    - -
    - -
    -
    - - - - / - - windows-docs-pr - - - Private -
    - -
    - -
      - - - -
    • - -
      - - - - - - - Watch - - - 37 - - - -
      -
      -

      Notifications

      - -
      - -
      -
      - - - - - - - - -
      - - -
      -
      -       - - - - -
      -
      -       - - - -
      • - -
    • - -
      - Fork - 173 - -
      - - - -
      - -
      -
      - - - - - - - -
      - -
      -
      -       -
      -
      • - -
    • - - -
      -
      - - -
      -
      - -
      - - - -
      - -
      -
      - - - - - - - -
      - -
      -
      -       -
      -
      -
      • - - - -
    - -
    - -
    -
    - - - - -
    - - - - - -
    - Open in github.dev - Open in a new github.dev tab - - - - - - -
    - - -
    - - - - - - - - -Permalink - -
    - -
    -
    - - - release-win11-… - - - - -
    -
    -
    - Switch branches/tags - -
    - - - -
    - -
    - -
    - - -
    - -
    - - - - - - - - - - - - - - - -
    - - -     -     -
    -
    - -
    - -
    - -

    - windows-docs-pr/education/windows/images/icons/intune.svg -

    - Go to file - -
    - - - - -
      -
    • - - Go to file - -
      • -
    • -
      • -
    • -
    • - - - Copy path - -
      • -
    • - - - - Copy permalink - - -
      • -
    -
    -
    - - - - - - - - - -
    - -
    -
    - - @paolomatarazzo - -
    -
    - paolomatarazzo - - - Minor updates - -
    - - - - - -
    -
    - - Latest commit - 2db6549 - Sep 17, 2022 - - - - - - History - - -
    -
    - -
    - -
    -
    - - - 1 - - contributor - - -
    - -

    - Users who have contributed to this file -

    -
    - - - - - - -     -
    -
    -
    - - - - - - - - - - - - - -
    - -
    - - -
    - - - 24 lines (24 sloc) - - 1.8 KB -
    - -
    -
    - - -
    - - -
    - Raw - Blame -
    - -
    - -
    -
    -
    -
    - -
    -
    -
    -
    -
    - -
    Open in github.dev
    -
    .
    -     - - Open in GitHub Desktop -
    -
    -
    -
    -
    - - - -
    - - - - - - - - - -
    - - -
    - -
    -
    - -
    -
    - - - - - -
    -
    -
    - - - -
    - -
    -
    - -
    Sorry, something went wrong. Reload?
    -
    Sorry, we cannot display this file.
    -
    Sorry, this file is invalid so it cannot be displayed.
    - -
    -
    - -
    - -
    - - - - -
    - - -
    - - -
     -
    - - -
    - -
    - - -
    - -     - - -
    -
    - -
    - - - - - - - - - - - - - - - - - - - - - - From 544f7a4d82ee642db53590420d7ffdc1ca8b97e3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 20 Sep 2022 11:45:09 -0400 Subject: [PATCH 08/10] updates --- .../hello-hybrid-cloud-kerberos-trust.md | 34 +++++++++---------- .../security/images}/icons/accessibility.svg | 0 .../security/images}/icons/group-policy.svg | 0 .../security/images}/icons/intune.svg | 0 .../security/images}/icons/powershell.svg | 0 .../images}/icons/provisioning-package.svg | 0 .../security/images}/icons/registry.svg | 0 .../security/images}/icons/windows-os.svg | 0 8 files changed, 17 insertions(+), 17 deletions(-) rename {images => windows/security/images}/icons/accessibility.svg (100%) rename {images => windows/security/images}/icons/group-policy.svg (100%) rename {images => windows/security/images}/icons/intune.svg (100%) rename {images => windows/security/images}/icons/powershell.svg (100%) rename {images => windows/security/images}/icons/provisioning-package.svg (100%) rename {images => windows/security/images}/icons/registry.svg (100%) rename {images => windows/security/images}/icons/windows-os.svg (100%) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index b8c20ad0f1..c20f96039f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -87,7 +87,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). -#### [:::image type="icon" source="../../../../images/icons/intune.svg"::: **Intune**](#tab/intune) +#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices. @@ -97,15 +97,15 @@ The cloud Kerberos trust policy needs to be configured using a custom template a If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). -1. Browse to **Groups** and select **New group**. +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) +1. Browse to **Groups** and select **New group** 1. Configure the following group settings: - 1. Group type: "Security" - 1. Group name: "WHFBCloudTrustUsers" or a group name of your choosing - 1. Membership type: Assigned -1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust. + 1. Group type: **Security** + 1. Group name: *WHFB cloud Kerberos trust users* or a group name of your choosing + 1. Membership type: **Assigned** +1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust -You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center. +You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center ### Enable Windows Hello for Business @@ -125,7 +125,7 @@ You can also follow these steps to create a device configuration policy instead 1. Select Next to move to **Assignments**. 1. Under Included groups, select **Add groups**. -1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be WHFBCloudTrustUsers or a group of your choosing. +1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing. 1. Select Next to move to the Applicability Rules. 1. Select Next again to move to the **Review + create** tab and select the option to create the policy. @@ -142,25 +142,25 @@ To configure the cloud Kerberos trust policy, follow the steps below: 1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust". 1. In Configuration Settings, add a new configuration with the following settings: -| Setting | -|--------| -|
  • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
  • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
  • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`**`/Policies/UseCloudTrustForOnPremAuth`**
  • Data type: **Boolean**
  • Value: **True**
    • | + | Setting | + |--------| + |
  • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
  • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
  • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`**`/Policies/UseCloudTrustForOnPremAuth`**
  • Data type: **Boolean**
  • Value: **True**
    • | ->[!IMPORTANT] ->*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID. + >[!IMPORTANT] + >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID. - [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) + [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) 1. Select Next to navigate to **Assignments**. 1. Under Included groups, select **Add groups**. -1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be WHFBCloudTrustUsers or a group of your choosing. +1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing. 1. Select Next to move to the Applicability Rules. 1. Select Next again to move to the **Review + create** tab and select the option to create the policy. > [!Important] > If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled. -#### [:::image type="icon" source="../../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) +#### [:::image type="icon" source="=../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. diff --git a/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg similarity index 100% rename from images/icons/accessibility.svg rename to windows/security/images/icons/accessibility.svg diff --git a/images/icons/group-policy.svg b/windows/security/images/icons/group-policy.svg similarity index 100% rename from images/icons/group-policy.svg rename to windows/security/images/icons/group-policy.svg diff --git a/images/icons/intune.svg b/windows/security/images/icons/intune.svg similarity index 100% rename from images/icons/intune.svg rename to windows/security/images/icons/intune.svg diff --git a/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg similarity index 100% rename from images/icons/powershell.svg rename to windows/security/images/icons/powershell.svg diff --git a/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg similarity index 100% rename from images/icons/provisioning-package.svg rename to windows/security/images/icons/provisioning-package.svg diff --git a/images/icons/registry.svg b/windows/security/images/icons/registry.svg similarity index 100% rename from images/icons/registry.svg rename to windows/security/images/icons/registry.svg diff --git a/images/icons/windows-os.svg b/windows/security/images/icons/windows-os.svg similarity index 100% rename from images/icons/windows-os.svg rename to windows/security/images/icons/windows-os.svg From 9c9ad8f5164aa7ab56125d0bf214633842e395c9 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 20 Sep 2022 11:55:23 -0400 Subject: [PATCH 09/10] updates --- .../hello-hybrid-cloud-kerberos-trust.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index c20f96039f..1aa59a7b89 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -141,16 +141,16 @@ To configure the cloud Kerberos trust policy, follow the steps below: 1. For Profile Type, select **Templates** and select the **Custom** Template. 1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust". 1. In Configuration Settings, add a new configuration with the following settings: - - | Setting | - |--------| - |
  • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
  • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
  • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`**`/Policies/UseCloudTrustForOnPremAuth`**
  • Data type: **Boolean**
  • Value: **True**
    • | - - >[!IMPORTANT] - >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID. - - [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) - + + | Setting | + |--------| + |
  • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
  • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
  • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`**
  • Data type: **Boolean**
  • Value: **True**
    • | + + >[!IMPORTANT] + >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID. + + [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) + 1. Select Next to navigate to **Assignments**. 1. Under Included groups, select **Add groups**. 1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing. @@ -160,7 +160,7 @@ To configure the cloud Kerberos trust policy, follow the steps below: > [!Important] > If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled. -#### [:::image type="icon" source="=../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) +#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. From 6c5fa4336d681aaf2619285a9d3129171e1626ed Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 20 Sep 2022 12:11:54 -0400 Subject: [PATCH 10/10] updates --- .../hello-for-business/hello-hybrid-cloud-kerberos-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 1aa59a7b89..da2c3ed436 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -144,7 +144,7 @@ To configure the cloud Kerberos trust policy, follow the steps below: | Setting | |--------| - |
  • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
  • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
  • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`**
  • Data type: **Boolean**
  • Value: **True**
    • | + |
    • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
    • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
    • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`**
    • Data type: **Boolean**
    • Value: **True**
    | >[!IMPORTANT] >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.