mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 19:03:46 +00:00
fix bad links
This commit is contained in:
jdeckerMS
@ -19,7 +19,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|
||||
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
|
||||
|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
|
||||
|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |
|
||||
| Microsoft Passport guide | Content merged into [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) topics |
|
||||
| Microsoft Passport guide | Content merged into [MWindows Hello for Business](hello-identity-verification.md) topics |
|
||||
|
||||
## December 2016
|
||||
|New or changed topic |Description |
|
||||
|
||||
@ -21,7 +21,7 @@ To use Windows Hello to sign in with an identity provider (IDP), a user needs a
|
||||
A goal of Windows Hello is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
|
||||
|
||||
> [!NOTE]
|
||||
>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md). Organizational configuration must be completed before users can begin to register.
|
||||
>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register.
|
||||
|
||||
The registration process works like this:
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will
|
||||
|
||||
## Group Policy settings for Windows Hello for Business
|
||||
|
||||
The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
|
||||
The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
|
||||
|
||||
|
||||
<table>
|
||||
@ -363,48 +363,7 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu
|
||||
Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
|
||||
|
||||
|
||||
## Approaches for a Windows Hello for Business deployment
|
||||
|
||||
Different organizations will necessarily take different approaches to the deployment of Windows Hello depending on their capabilities and needs, but there is only one strategy: deploy Windows Hello for Business throughout the organization to get maximum protection for the maximum number of devices and resources. Organizations can take one of three basic routes to accomplish that strategy:
|
||||
|
||||
- Deploy Windows Hello for Business everywhere according to whatever device or user deployment strategy works best for the organization.
|
||||
- Deploy Windows Hello for Business first to high-value or high-risk targets, by using conditional access policies to restrict access to key resources only to users who hold strong authentication credentials.
|
||||
- Blend Windows Hello for Business into an existing multi-factor environment, using it as an additional form of strong authentication alongside physical or virtual smart cards.
|
||||
|
||||
### Deploy Windows Hello for Business everywhere
|
||||
|
||||
In this approach, you deploy Windows Hello throughout the organization in a coordinated rollout. In some ways, this method is similar to any other desktop deployment project; the only real difference is that you must already have the Windows Hello infrastructure in place to support device registration before you can start using Windows Hello on Windows 10 devices.
|
||||
|
||||
You can still upgrade to Windows 10 or add new Windows 10 devices without changing your infrastructure. You just can’t use Windows Hello for Business on a device until the device joins Azure AD and receives the appropriate policy. The major benefit of this approach is that it provides uniform protection for all parts of the organization. Sophisticated attackers have shown a great deal of skill in breaching large organizations by identifying weak points in their security, including users and systems that don’t have high-value information but that can be exploited to get it. Applying consistent protection across every device that an attacker could use to access enterprise data is excellent protection against these types of attacks.
|
||||
|
||||
The downside to this approach is its complexity. Smaller organizations may find that managing the rollout of a new operating system across all devices is beyond the scope of their experience and capability. For these organizations, users can self-upgrade, and new users may end up with Windows 10 because they get new devices when they join. Larger organizations, especially those that are highly decentralized or have operations across many physical sites, may have more deployment knowledge and resources but face the challenge of coordinating rollout efforts across a larger user base and footprint.
|
||||
|
||||
For more information about desktop deployment of Windows 10, visit the [Windows 10 TechCenter](https://technet.microsoft.com/windows/mt240567).
|
||||
|
||||
One key aspect of this deployment strategy is how to get Windows 10 in users’ hands. Because different organizations have wildly differing strategies to refresh hardware and software, there’s no one-size-fits-all strategy. For example, some organizations pursue a coordinated strategy that puts new desktop operating systems in users’ hands every 2–3 years on existing hardware, supplementing with new hardware only where and when required. Others tend to replace hardware and deploy whatever version of the Windows client operating system ships on the purchased devices. In both cases, there are typically separate deployment cycles for servers and server operating systems, and the desktop and server cycles may or may not be coordinated.
|
||||
|
||||
In addition to the issue of Windows 10 deployment to users, you must consider how and when (or if!) you’ll deploy biometric devices to users. Because Windows Hello can take advantage of multiple biometric identifiers, you have a flexible range of device options, which includes the purchase of new devices that incorporate your selected biometric, seeding select users with appropriate devices, rollout of biometric devices as part of a scheduled hardware refresh and using PIN gestures until users get devices, or relying on remote unlock as a second authentication factor.
|
||||
|
||||
### Deploy to high-value or high-risk targets
|
||||
|
||||
This strategy takes into account the fact that in most networks, not every asset is equally protected or equally valuable. There are two ways to think about this. One is that you can focus on protecting the users and services that are most at risk of compromise because of their value. Examples include sensitive internal databases or the user accounts of your key executives. The other option is that you can focus on areas of your network that are the most vulnerable, such as users who travel frequently (and thus run a higher risk of lost or stolen devices or drive-by credential theft). Either way, the strategy is the same: selectively and quickly deploy Windows Hello to protect specific people and resources. For example, you might issue new Windows 10 devices with biometric sensors to all users who need access to a sensitive internal database, and then deploy the minimum required infrastructure to support Windows Hello–secured access to that database for those users.
|
||||
One of the key design capabilities of Windows Hello for Business is that it supports Bring Your Own Device (BYOD) environments by allowing users to register their own devices with the organizational IDP (whether on premises, hybrid, or Azure AD). You may be able to take advantage of this capability to quickly deploy Windows Hello to protect your most vulnerable users or assets, ideally by using biometrics as an additional safety measure for the most valuable potential targets.
|
||||
|
||||
### Blend Windows Hello with your infrastructure
|
||||
|
||||
Organizations that have already invested in smart cards, virtual smart cards, or token-based systems can still benefit from Windows Hello. Of those organizations, many use physical tokens and smart cards to protect only critical assets because of the expense and complexity of their deployment. Windows Hello offers a valuable complement to these systems because it protects users who currently rely on reusable credentials; protection of all users’ credentials is an important step toward blunting attacks that seek to leverage compromise of any credential into a widespread breach. This approach also gives you a great deal of flexibility in scheduling and deployment. Some enterprises have deployed multi-use smart cards that provide building-access control, access to copiers or other office equipment, stored value for lunchroom purchases, remote network access, and other services. Deployment of Windows Hello in such environments doesn’t prevent you from continuing to use smart cards for these services. You can leave the existing smart card infrastructure in place for its existing use cases, and then register desktop and mobile devices in Windows Hello and use Windows Hello to secure access to network and Internet resources. This approach requires a more complicated infrastructure and a greater degree of organizational maturity because it requires you to link your existing PKI with an enrollment service and Windows Hello itself.
|
||||
|
||||
Smart cards can act as a useful complement to Windows Hello in another important way: to bootstrap the initial logon for Windows Hello registration. When a user registers with Windows Hello on a device, part of that registration process requires a conventional logon. Rather than using a traditional password, organizations that have previously deployed the necessary infrastructure for smart cards or virtual smart cards can allow their users to register new devices by logging on with a smart card or virtual smart card. After the user has proved his or her identity to the organizational IDP with the smart card, the user can set up a PIN and proceed to use Windows Hello for future logons.
|
||||
|
||||
### Choose a rollout method
|
||||
|
||||
Which rollout method you choose depends on several factors:
|
||||
|
||||
- **How many devices you need to deploy**. This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities.
|
||||
- **How quickly you want to deploy Windows Hello for Business protection**. This is a classic cost–benefit tradeoff. You have to balance the security benefits of Windows Hello for Business against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Windows Hello coverage in the shortest time possible maximizes security benefits.
|
||||
- **The type of devices you want to deploy**. Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Windows Hello first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
|
||||
-** What your current infrastructure looks like**. The individual version of Windows Hello doesn’t require changes to your Active Directory environment, but to support Windows Hello for Business, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
|
||||
- **Your plans for the cloud**. If you’re already planning a move to the cloud, Azure AD eases the process of Windows Hello for Business deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Windows Hello for Business will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Windows Hello for Business from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Windows Hello for Business services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
|
||||
|
||||
## How to use Windows Hello for Business with Azure Active Directory
|
||||
|
||||
@ -414,7 +373,7 @@ There are three scenarios for using Windows Hello for Business in Azure AD–onl
|
||||
- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
|
||||
- **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
|
||||
|
||||
If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. Set Microsoft Passport policies
|
||||
If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -16,115 +16,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
|
||||
|
||||
>[!NOTE]
|
||||
> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
|
||||
|
||||
Hello addresses the following problems with passwords:
|
||||
- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
|
||||
- Server breaches can expose symmetric network credentials.
|
||||
- Passwords can be subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
|
||||
- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
|
||||
|
||||
Hello lets users authenticate to:
|
||||
- a Microsoft account.
|
||||
- an Active Directory account.
|
||||
- a Microsoft Azure Active Directory (Azure AD) account.
|
||||
- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
|
||||
|
||||
After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
|
||||
|
||||
As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
|
||||
|
||||
## Biometric sign-in
|
||||
|
||||
Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
|
||||
|
||||
- **Facial recognition**. This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
|
||||
- **Fingerprint recognition**. This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
|
||||
|
||||
Biometric data used to implement Windows Hello is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data.
|
||||
|
||||
|
||||
## The difference between Windows Hello and Windows Hello for Business
|
||||
|
||||
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by certificate-based authentication.
|
||||
|
||||
- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
|
||||
|
||||
- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication. Support for key-based or certificate-based authentication is on the roadmap for a future release.
|
||||
|
||||
## Benefits of Windows Hello
|
||||
|
||||
Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
|
||||
|
||||
You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
|
||||
|
||||
In Windows 10, Hello replaces passwords. The Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
|
||||
|
||||
|
||||
|
||||
Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
|
||||
|
||||
Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
|
||||
|
||||
Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
|
||||
|
||||
> [!NOTE]
|
||||
> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
|
||||
|
||||
|
||||
|
||||
### How Windows Hello for Business works : Key points
|
||||
|
||||
- Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
|
||||
- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
|
||||
- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
|
||||
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
|
||||
- Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
|
||||
- PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
|
||||
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
|
||||
- Certificate private keys can be protected by the Hello container and the Hello gesture.
|
||||
|
||||
For a detailed explanation, see [How Windows Hello for Business works](hello-how-it-works.md).
|
||||
|
||||
## Comparing key-based and certificate-based authentication
|
||||
|
||||
Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
|
||||
|
||||
Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
|
||||
EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
|
||||
|
||||
When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
|
||||
|
||||
## Learn more
|
||||
|
||||
[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
|
||||
|
||||
[What's new in Active Directory Domain Services for Windows Server 2016](https://go.microsoft.com/fwlink/p/?LinkId=708533)
|
||||
|
||||
[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
|
||||
|
||||
[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
|
||||
|
||||
[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
|
||||
|
||||
[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
|
||||
|
||||
[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
|
||||
|
||||
[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
|
||||
- [How Windows Hello for Business works](hello-how-it-works.md)
|
||||
- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
|
||||
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
|
||||
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
|
||||
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
|
||||
- [Windows Hello and password changes](hello-and-password-changes.md)
|
||||
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
|
||||
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
|
||||
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
|
||||
Reference in New Issue
Block a user