deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-26 07:43:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #1526 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Tina Burden
2019-12-03 11:29:52 -08:00
committed by GitHub
parent 034b0901d2 f61cad8361
commit f1ec5dc969
93 changed files with 791 additions and 814 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
View File

@ -30,7 +30,8 @@ Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Su
When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
>**Note:**  The ability to link online IDs can be performed by anyone with an account that has standard users credentials through **Credential Manager**.
> [!Note]
> The ability to link online IDs can be performed by anyone with an account that has standard users credentials through **Credential Manager**.
This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later.
@ -40,6 +41,9 @@ This policy is not configured by default on domain-joined devices. This would di
This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
> [!Note]
> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server.
- **Disabled**
This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.

2
windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
View File

@ -1,5 +1,5 @@
---
title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10)
title: Network security Configure encryption types allowed for Kerberos
description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting.
ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece
ms.reviewer: