more work for multifactor unlock

2025-06-23 14:23:38 +00:00 · 2018-02-23 18:38:32 -08:00
parent 6932c98890
commit fefad73786
1 changed files with 27 additions and 16 deletions
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@ -18,7 +18,7 @@ ms.date: 02/23/2018
 * Hybird Azure AD joined (Hybrid deployments)
 * Domain Joined (on-premises deployments) 
 * Windows 10, version 1709
-* Bluetooth, Bluetooth capable smartphone - optional
+* Bluetooth, Bluetooth capable phone - optional
 Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
@ -32,23 +32,30 @@ Which organizations can take advanage of Multifactor unlock? Those who:
 You enable multifactor unlock using Group Policy.  The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
 ## The Basics: How it works
 First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration.  Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider.  With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
 The policy setting has three components:
 * First unlock factor credential provider
 * Second unlock factor credential provider 
 * Signal rules for device unlock
-## The Basics: How it works
+## Configuring Unlock Factors
-First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration.  Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider.  With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
+The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers. 
-The credenital providers included in the default policy settings are:
+Supported credential providers include: 
 |Credential Provider| GUID|
-|:------------------|:----:|
+|:------------------|:----|
 |PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}|  
 |Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}|
 |Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}|
-|Trusted Signal | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
+|Trusted Signal<br>(Phone proximity, Network location) | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
 >[!NOTE]
 >Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
 The default credential providers for the **First unlock factor credential provider** include:
 * PIN
@ -59,15 +66,18 @@ The default credential providers for the **Second unlock factor credential provi
 * Trusted Signal
 * PIN
 Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, remember that a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers do not need to be in any specific order. 
 For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor.  However, whichever factor they used to satisfy the first unlock factor cannot be used to satisfy the second unlock factor.  
 ## Configure Signal Rules for the Trusted Signal Credential Provider
 The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. 
-The default signal rules for the policy setting include the proximity of any paired bluetooth smartphone.
+The default signal rules for the policy setting include the proximity of any paired bluetooth phone.<br>
 `<rule schemaVersion="1.0"> <signal type="bluetooth" scenario="Authentication"/> </rule>`
 To successfully reach their desktop, the user must satisfy one credential provider from each category.  The order in which the user satisfies each credential provider does not matter.  Therefore, using the default policy setting a user can provide:
 * PIN and Fingerprint
 * PIN and Facial Recognition
 * Fingerprint and PIN
 * Facial Recognition and Trusted Signal (bluetooth paired smartphone)
 >[!IMPORTANT]
 > * PIN **must** be in at least one of the groups
@ -96,5 +106,6 @@ The Group Policy object contains the policy settings needed to trigger Windows H
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.<br>
 ![Group Policy Editor](images/multifactorUnlock/gpme.png)
-8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.
+8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.<br>
 ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)