From ff21abb8fc811821078e1cf1e2d883028252ca7d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 28 Sep 2016 11:40:29 -0700 Subject: [PATCH] add new topic, interlinks --- windows/keep-secure/TOC.md | 1 + ...ange-history-for-keep-windows-10-secure.md | 6 + .../enable-phone-signin-to-pc-and-vpn.md | 2 +- .../keep-secure/hello-and-password-changes.md | 25 ++-- .../hello-biometrics-in-enterprise.md | 13 +- .../keep-secure/hello-enable-phone-signin.md | 24 ++-- .../hello-errors-during-pin-creation.md | 62 ++++----- windows/keep-secure/hello-event-300.md | 38 +++--- windows/keep-secure/hello-how-it-works.md | 126 ++++++++++++++++++ .../hello-implement-in-organization.md | 29 ++-- .../hello-manage-identity-verification.md | 25 ++-- .../hello-prepare-people-to-use.md | 25 ++-- .../hello-why-pin-is-better-than-password.md | 13 +- ...microsoft-passport-in-your-organization.md | 4 +- ...y-verification-using-microsoft-passport.md | 41 +++--- ...microsoft-passport-and-password-changes.md | 2 +- ...oft-passport-errors-during-pin-creation.md | 2 +- .../keep-secure/microsoft-passport-guide.md | 2 +- windows/keep-secure/passport-event-300.md | 2 +- ...repare-people-to-use-microsoft-passport.md | 2 +- .../why-a-pin-is-better-than-a-password.md | 2 +- .../windows-hello-in-enterprise.md | 2 +- 22 files changed, 275 insertions(+), 173 deletions(-) create mode 100644 windows/keep-secure/hello-how-it-works.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index e05c37aaec..03e7c2cb11 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -1,6 +1,7 @@ # [Keep Windows 10 secure](index.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) ## [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +### [How Windows Hello for Business works](hello-how-it-works.md) ### [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) ### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) ### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 6dc8ea8b8c..fa21d8f325 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -12,6 +12,12 @@ author: brianlic-msft # Change history for Keep Windows 10 secure This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## Octoboer 2016 + +| New or changed topic | Description | +| --- | --- | +| Microsoft Passport guide | Content merged into [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) topics | + ## September 2016 | New or changed topic | Description | diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md index 38fb8a9fef..064dd48a63 100644 --- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md +++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md @@ -6,7 +6,7 @@ ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -redirect_url: /hello-enable-phone-signin +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-enable-phone-signin --- # Enable phone sign-in to PC or VPN diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md index 128f1ffe29..4388fd73dc 100644 --- a/windows/keep-secure/hello-and-password-changes.md +++ b/windows/keep-secure/hello-and-password-changes.md @@ -36,19 +36,12 @@ Suppose instead that you sign in on **Device B** and change your password for yo ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) -  \ No newline at end of file +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md index ca368e846f..98a4f449cf 100644 --- a/windows/keep-secure/hello-biometrics-in-enterprise.md +++ b/windows/keep-secure/hello-biometrics-in-enterprise.md @@ -75,10 +75,15 @@ To allow facial recognition, you must have devices with integrated special infra - Effective, real world FRR with Anti-spoofing or liveness detection: <10% ## Related topics -- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) -- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) -- [Microsoft Passport guide](microsoft-passport-guide.md) -- [Prepare people to use Windows Hello for Work](prepare-people-to-use-microsoft-passport.md) +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) - [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)   diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md index e3c6cbddf6..e6cd471753 100644 --- a/windows/keep-secure/hello-enable-phone-signin.md +++ b/windows/keep-secure/hello-enable-phone-signin.md @@ -63,21 +63,15 @@ If you want to distribute the **Microsoft Authenticator** app, your organization ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)   diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md index 3e4fbfbedf..6d2998ebfd 100644 --- a/windows/keep-secure/hello-errors-during-pin-creation.md +++ b/windows/keep-secure/hello-errors-during-pin-creation.md @@ -197,43 +197,37 @@ If the error occurs again, check the error code against the following table to s ## Errors with unknown mitigation For errors listed in this table, contact Microsoft Support for assistance. -| Hex | Cause | -|-------------|-------------------------------------------------------------------------------------------------------| -| 0x80072f0c | Unknown | +| Hex | Cause | +|-------------|---------| +| 0x80072f0c | Unknown | | 0x80070057 | Invalid parameter or argument is passed | | 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. | -| 0x8009002D | NTE\_INTERNAL\_ERROR | -| 0x80090020 | NTE\_FAIL | -| 0x801C0001 | ​ADRS server response is not in valid format | -| 0x801C0002 | Server failed to authenticate the user | -| 0x801C0006 | Unhandled exception from server | -| 0x801C000C | Discovery failed | -| 0x801C001B | ​The device certificate is not found | -| 0x801C000B | Redirection is needed and redirected location is not a well known server | -| 0x801C0019 | ​The federation provider client configuration is empty | -| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty | -| 0x801C0013 | Tenant ID is not found in the token | -| 0x801C0014 | User SID is not found in the token | -| 0x801C03F1 | There is no UPN in the token | -| 0x801C03F0 | ​There is no key registered for the user | -| 0x801C03F1 | ​There is no UPN in the token | -| ​0x801C044C | There is no core window for the current thread | +| 0x8009002D | NTE\_INTERNAL\_ERROR | +| 0x80090020 | NTE\_FAIL | +| 0x801C0001 | ​ADRS server response is not in valid format | +| 0x801C0002 | Server failed to authenticate the user | +| 0x801C0006 | Unhandled exception from server | +| 0x801C000C | Discovery failed | +| 0x801C001B | ​The device certificate is not found | +| 0x801C000B | Redirection is needed and redirected location is not a well known server | +| 0x801C0019 | ​The federation provider client configuration is empty | +| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty | +| 0x801C0013 | Tenant ID is not found in the token | +| 0x801C0014 | User SID is not found in the token | +| 0x801C03F1 | There is no UPN in the token | +| 0x801C03F0 | ​There is no key registered for the user | +| 0x801C03F1 | ​There is no UPN in the token | +| ​0x801C044C | There is no core window for the current thread |   ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) \ No newline at end of file +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md index 25c9b86986..a366e3a402 100644 --- a/windows/keep-secure/hello-event-300.md +++ b/windows/keep-secure/hello-event-300.md @@ -20,12 +20,12 @@ localizationpriority: high This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. ## Event details -| | | -|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Product:** | Windows 10 operating system | -| **ID:** | 300 | -| **Source:** | Microsoft Azure Device Registration Service | -| **Version:** | 10 | + +| **Product:** | Windows 10 operating system | +| --- | --- | +| **ID:** | 300 | +| **Source:** | Microsoft Azure Device Registration Service | +| **Version:** | 10 | | **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |   @@ -35,20 +35,12 @@ This is a normal condition. No further action is required. ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md new file mode 100644 index 0000000000..d8b890e784 --- /dev/null +++ b/windows/keep-secure/hello-how-it-works.md @@ -0,0 +1,126 @@ +--- +title: How Windows Hello for Business works (Windows 10) +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +localizationpriority: high +--- +# How Windows Hello for Business works + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +To use Windows Hello to sign in with an identity provider (IDP), a user needs a configured device, which means that the Windows Hello life cycle starts when you configure a device for Windows Hello use. When the device is set up, its user can use the device to authenticate to services. In this section, we explore how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. + +## Register a new user or device + +A goal of Windows Hello is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration. + +> [!NOTE] +>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure AD; that configuration is discussed later in this guide. This configuration must be completed before users can begin to register. + + The registration process works like this: + +1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as logging on with a Microsoft account. Logging on with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. +2. To log on using that account, the user has to enter the existing credentials for it. The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. +3. When the user has provided the proof to the IDP, the user enables PIN authentication (Figure 1). The PIN will be associated with this particular credential. + +When the user sets the PIN, it becomes usable immediately + +Remember that Windows Hello depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are: + +- A user who upgrades from the Windows 8.1 operating system will log on by using his or her existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN. +- A user who typically uses a smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to. +- A user who typically uses a virtual smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to. + +When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and stores this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. + +At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely log on to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future logons can then use either the PIN or the registered biometric gestures. + +## What’s a container? + +You’ll often hear the term container used in reference to MDM solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 supports two containers: the default container holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and the enterprise container holds credentials associated with a workplace or school account. + +The enterprise container exists only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. The enterprise container contains only key data for Active Directory or Azure AD. If the enterprise container is present on a device, it’s unlocked separately from the default container, which maintains separation of data and access across personal and enterprise credentials and services. For example, a user who uses a biometric gesture to log on to a managed computer can separately unlock his or her personal container by entering a PIN when logging on to make a purchase from a website. These containers are logically separate. Organizations don’t have any control over the credentials users store in the default container, and applications that authenticate against services in the default container can’t use credentials from the enterprise container. However, individual Windows applications can use the Windows Hello application programming interfaces (APIs) to request access to credentials as appropriate, so that both consumer and LOB applications can be enhanced to take advantage of Windows Hello. + +It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders. + +Each container actually contains a set of keys, some of which are used to protect other keys. Figure 3 shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. + +![Each logical container holds one or more sets of keys](images/passport-fig3-logicalcontainer.png) + +Containers can contain several types of key material: + +- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. +- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked. +- Secure/Multipurpose Internet Mail Extensions (S/MIME) keys and certificates, which a certification authority (CA) generates. The keys associated with the user’s S/MIME certificate can be stored in a Windows Hello container so they’re available to the user whenever the container is unlocked. +- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container as illustrated in Figure 3. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this machine to the IDP. IDP keys are typically long lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: + - The IDP key pair can be associated with an enterprise CA through the Windows Network Device Enrollment Service (NDES), described more fully in Network Device Enrollment Service Guidance. In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. + - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI. + +## How keys are protected + +Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the machine can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. + +Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. + + +## Authentication + +When a user wants to access protected key material — perhaps to use an Internet site that requires a logon or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN. This process unlocks the protector key for the primary container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. + +These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or log on to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device. + +The actual authentication process works like this: + +1. The client sends an empty authentication request to the IDP. (This is merely for the handshake process.) +2. The IDP returns a challenge, known as a nonce. +3. The device signs the nonce with the appropriate private key. +4. The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce. +5. The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original. +6. If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key. +7. The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token. +8. The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication. + +When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices. + +Remote unlock, which is planned for a future release of Windows 10, builds on these scenarios by enabling seamless remote authentication from a mobile device as a second factor. For example, suppose that you’re visiting another office at your company and you need to borrow a computer there temporarily, but you don’t want to potentially expose your credentials to capture. Rather than type in your credentials, you can click other user on the Windows 10 logon screen, type your user name, pick the tile for remote authentication, and use an app on your phone, which you already unlocked by using its built-in facial-recognition sensors. The phone and computer are paired and handshake via Bluetooth, you type your authentication PIN on the phone, and the computer gets confirmation of your identity from the IDP. All this happens without typing a password anywhere or typing your PIN on the PC. + +## The infrastructure + +Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities: + +- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to devices. You can use NDES to register devices directly, Microsoft System Center Configuration Manager or later for on-premises environments, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. +- You can configure Windows Server 2016 domain controllers to act as IDPs for Windows Hello. In this mode, the Windows Server 2016 domain controllers act as IDPs alongside any existing Windows Server 2008 R2 or later domain controllers. There is no requirement to replace all existing domain controllers, merely to introduce at least one Windows Server 2016 domain controller per Active Directory site and update the forest Active Directory Domain Services (AD DS) schema to Windows Server 2016 Technical Preview. +- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. +- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. + + + + + + + + + + + + + + + +## Related topics + +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/hello-implement-in-organization.md b/windows/keep-secure/hello-implement-in-organization.md index b9e72308cc..7429667875 100644 --- a/windows/keep-secure/hello-implement-in-organization.md +++ b/windows/keep-secure/hello-implement-in-organization.md @@ -300,6 +300,8 @@ The following table lists the MDM policy settings that you can configure for Win   ## Prerequisites +To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. + You’ll need this software to set Windows Hello for Business policies in your enterprise. @@ -369,21 +371,12 @@ The PIN is managed using the same Windows Hello for Business policies that you c ## Related topics -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) -  \ No newline at end of file +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/hello-manage-identity-verification.md b/windows/keep-secure/hello-manage-identity-verification.md index 71b7ad88c9..d1c4c0da7c 100644 --- a/windows/keep-secure/hello-manage-identity-verification.md +++ b/windows/keep-secure/hello-manage-identity-verification.md @@ -79,6 +79,7 @@ Hello also enables Windows 10 Mobile devices to be used as [a remote credential - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. - Certificate private keys can be protected by the Hello container and the Hello gesture. +For details, see [How Windows Hello for Business works](hello-how-it-works.md). ## Comparing key-based and certificate-based authentication @@ -109,19 +110,13 @@ When identity providers such as Active Directory or Azure AD enroll a certificat ## Related topics -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)   diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md index f6419c6ced..2991666df4 100644 --- a/windows/keep-secure/hello-prepare-people-to-use.md +++ b/windows/keep-secure/hello-prepare-people-to-use.md @@ -97,20 +97,13 @@ You simply connect to VPN as you normally would. If the phone's certificates are ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) - +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md index 4fb387f147..ad4f77ab13 100644 --- a/windows/keep-secure/hello-why-pin-is-better-than-password.md +++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md @@ -70,7 +70,12 @@ If you only had a biometric sign-in configured and, for any reason, were unable ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) -  \ No newline at end of file +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index a8ac5e3d46..8939418730 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -redirect_url: /hello-implement-in-organization +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-implement-in-organization --- # Implement Windows Hello for Business in your organization @@ -300,6 +300,8 @@ The following table lists the MDM policy settings that you can configure for Win   ## Prerequisites +To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. + You’ll need this software to set Windows Hello for Business policies in your enterprise.
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 2b9656fb8f..b73f0dbc9d 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile author: jdeckerMS -redirect_url: /hello-manage-identity-verification +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-identity-verification --- # Manage identity verification using Windows Hello for Business @@ -37,7 +37,14 @@ After an initial two-step verification of the user during enrollment, Hello is s As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization. + ## Biometric sign-in + Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials. + + - **Facial recognition**. This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. +- **Fingerprint recognition**. This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. + +Biometric data used to implement Windows Hello is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. ## The difference between Windows Hello and Windows Hello for Business @@ -67,8 +74,9 @@ Hello also enables Windows 10 Mobile devices to be used as [a remote credential > [!NOTE] >  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. -  -## How Windows Hello for Business works: key points + + +### How Windows Hello for Business works : Key points - Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device. - Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step. @@ -79,6 +87,7 @@ Hello also enables Windows 10 Mobile devices to be used as [a remote credential - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. - Certificate private keys can be protected by the Hello container and the Hello gesture. +For a detailed explanation, see [How Windows Hello for Business works](hello-how-it-works.md). ## Comparing key-based and certificate-based authentication @@ -109,19 +118,13 @@ When identity providers such as Active Directory or Azure AD enroll a certificat ## Related topics -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) -  +- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) +- [How Windows Hello for Business works](hello-how-it-works.md) +- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md) +- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) +- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) +- [Windows Hello and password changes](hello-and-password-changes.md) +- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md index 7eddfa84a4..3fa30f4786 100644 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ b/windows/keep-secure/microsoft-passport-and-password-changes.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -redirect_url: /hello-and-password-changes +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-and-password-changes --- # Windows Hello and password changes diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md index a0d5c75f85..61f8335040 100644 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -redirect_url: /hello-errors-during-pin-creation +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-errors-during-pin-creation --- # Windows Hello errors during PIN creation diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index d4bd6e4d33..d921444e45 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -8,7 +8,7 @@ ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: security author: challum -localizationpriority: high +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-implement-in-organization --- # Microsoft Passport guide diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md index 1c0937e186..80298cf4fe 100644 --- a/windows/keep-secure/passport-event-300.md +++ b/windows/keep-secure/passport-event-300.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -redirect_url: /hello-event-300 +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-event-300 --- # Event ID 300 - Windows Hello successfully created diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 4cb911fcc0..cde8099b99 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -redirect_url: /hello-prepare-people-to-use +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-prepare-people-to-use --- # Prepare people to use Windows Hello diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md index 7eac794a90..5fccb990f7 100644 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS -redirect_url: /hello-why-pin-is-better-than-password +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-why-pin-is-better-than-password --- # Why a PIN is better than a password diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md index 39a3d66e35..09380ebe1f 100644 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ b/windows/keep-secure/windows-hello-in-enterprise.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: jdeckerMS -redirect_url: /hello-biometrics-in-enterprise +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-biometrics-in-enterprise --- # Windows Hello biometrics in the enterprise