Merged PR 10243: Security/RecoveryEnvironmentAuthentication - added new policy to Policy CSP

2025-05-12 13:27:23 +00:00 · 2018-07-31 20:52:58 +00:00 · 2018-07-31 20:52:58 +00:00 · ffd91d3467
commit ffd91d3467
parent 0161f744c2
2 changed files with 90 additions and 0 deletions
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -2915,6 +2915,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-security.md#security-preventautomaticdeviceencryptionforazureadjoineddevices" id="security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
  </dd>
  <dd>
    <a href="./policy-csp-security.md#security-recoveryenvironmentauthentication" id="security-recoveryenvironmentauthentication">Security/RecoveryEnvironmentAuthentication</a>
  </dd>
  <dd>
    <a href="./policy-csp-security.md#security-requiredeviceencryption" id="security-requiredeviceencryption">Security/RequireDeviceEncryption</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@ -11,6 +11,8 @@ ms.date: 07/30/2018
 # Policy CSP - Security
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 <hr/>
@ -43,6 +45,9 @@ ms.date: 07/30/2018
  <dd>
    <a href="#security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
  </dd>
  <dd>
    <a href="#security-recoveryenvironmentauthentication">Security/RecoveryEnvironmentAuthentication</a>
  </dd>
  <dd>
    <a href="#security-requiredeviceencryption">Security/RequireDeviceEncryption</a>
  </dd>
@ -488,6 +493,87 @@ The following list shows the supported values:
 <hr/>
 <!--Policy-->
 <a href="" id="security-recoveryenvironmentauthentication"></a>**Security/RecoveryEnvironmentAuthentication**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Added in Windows 10, next major version. This policy controls the Admin Authentication requirement in RecoveryEnvironment.
 Supported values:  
 -  0 - Default: Keep using default(current) behavior
 -  1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment
 -  2 - NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment
 <!--/Description-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 **Validation procedure**
 The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE.
 The process of starting Push Button Reset (PBR) in WinRE:
 1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE.
 1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything".
 If the MDM policy is set to "Default" (0) or does not exist, the admin authentication flow should work as default behavior:  
 1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
 1. Click "<-" (right arrow) button and choose "Remove everything", it should not pop up admin authentication and just go to PBR options.
 If the MDM policy is set to "RequireAuthentication" (1)
 1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
 1. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication.
 If the MDM policy is set to "NoRequireAuthentication" (2)
 1. Start PBR in WinRE, choose "Keep my files", it should not pop up admin authentication.
 1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back.
 1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it should not pop up admin authentication neither.
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="security-requiredeviceencryption"></a>**Security/RequireDeviceEncryption**  
@ -661,6 +747,7 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in the next major release of Windows 10.
 <!--/Policies-->