From ffd91d346713bbdcb692b83fd2649676f6aaaa26 Mon Sep 17 00:00:00 2001
From: Maricia Alforque <maricia@microsoft.com>
Date: Tue, 31 Jul 2018 20:52:58 +0000
Subject: [PATCH] Merged PR 10243: Security/RecoveryEnvironmentAuthentication -
 added new policy to Policy CSP

---
 .../policy-configuration-service-provider.md  |  3 +
 .../mdm/policy-csp-security.md                | 87 +++++++++++++++++++
 2 files changed, 90 insertions(+)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 7c699b0382..940e812a79 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -2915,6 +2915,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-security.md#security-preventautomaticdeviceencryptionforazureadjoineddevices" id="security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-recoveryenvironmentauthentication" id="security-recoveryenvironmentauthentication">Security/RecoveryEnvironmentAuthentication</a>
+  </dd>
   <dd>
     <a href="./policy-csp-security.md#security-requiredeviceencryption" id="security-requiredeviceencryption">Security/RequireDeviceEncryption</a>
   </dd>
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index e0557a49ab..0deb6e2076 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -11,6 +11,8 @@ ms.date: 07/30/2018
 
 # Policy CSP - Security
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 
 <hr/>
@@ -43,6 +45,9 @@ ms.date: 07/30/2018
   <dd>
     <a href="#security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
   </dd>
+  <dd>
+    <a href="#security-recoveryenvironmentauthentication">Security/RecoveryEnvironmentAuthentication</a>
+  </dd>
   <dd>
     <a href="#security-requiredeviceencryption">Security/RequireDeviceEncryption</a>
   </dd>
@@ -488,6 +493,87 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="security-recoveryenvironmentauthentication"></a>**Security/RecoveryEnvironmentAuthentication**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Added in Windows 10, next major version. This policy controls the Admin Authentication requirement in RecoveryEnvironment.
+
+Supported values:  
+-  0 - Default: Keep using default(current) behavior
+-  1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment
+-  2 - NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment
+
+<!--/Description-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+**Validation procedure**
+
+The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE.
+The process of starting Push Button Reset (PBR) in WinRE:
+
+1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE.
+1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything".
+
+If the MDM policy is set to "Default" (0) or does not exist, the admin authentication flow should work as default behavior:  
+
+1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
+1. Click "<-" (right arrow) button and choose "Remove everything", it should not pop up admin authentication and just go to PBR options.
+
+If the MDM policy is set to "RequireAuthentication" (1)
+
+1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
+1. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication.
+
+If the MDM policy is set to "NoRequireAuthentication" (2)
+
+1. Start PBR in WinRE, choose "Keep my files", it should not pop up admin authentication.
+1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back.
+1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it should not pop up admin authentication neither.
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="security-requiredeviceencryption"></a>**Security/RequireDeviceEncryption**  
 
@@ -661,6 +747,7 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
+-   5 - Added in the next major release of Windows 10.
 
 <!--/Policies-->