Ch. 2 Final 19-9-2022

Chapter : 2
User Account Management
2.0 Objectives
2.1 Types of Windows 10 Accounts
2.2 Windows 10 Local Accounts
2.3 Need for Microsoft Passport
2.4 Understanding Office - 365
2.5 Summary
2.6 Check Your Progress Answers
2.7 Questions for Self Study
2.0 Objectives
At the end of the module you will be able to,
Understand the various types of Windows 10 accounts
Explain Local Authentication using Windows Hello.
Describe Network Authentication using Microsoft Passport
services
Describe Office 365 and Microsoft Azure AD
2.1 Types of Windows 10 Accounts

There are 4 types of User accounts that are supported in
Windows 10.
A User Account is used to enable users sign on to a Windows
device to access programs and data.
Take a look at the image, it shows the various supported
Windows 10 User Accounts.
User Account Management / 25

There are 4 types of user accounts supported, they are
Local Accounts, it is further classified as Built-in user account
and User-defined account (created by super user, generally
Administrator).
Domain Accounts
Domain Accounts based on Azure Active Directory o
Microsoft Online Accounts
2.2 Windows 10 Local Accounts

The first type of Windows 10 account that is Local Account.
A local account is used to provide access to non-domain or
Workgroup Computer.
The users are created on a local computer, the Users
database is stored inside the local computer’s registry that is
SAM (Security Accounts Manager).
On a fresh installed Windows 10 Machine, you can find 2
types of Built-in Account also known as Default Accounts, they
are
Administrator
Guest (Note that both the accounts are disabled by default
and you cannot delete the built-in account).
A built-in Administrator account is the super user account but
this account cannot run Edge Browser.
2.2.1 Windows 10 Local Account Feature -

Assigned access
Assigned Access is a security feature for local accounts
created on a Windows 10 machine.
An Assigned Access allows to create a lockdown environment
for users to interact with only one App.
The logged-in user cannot close to switch between multiple
apps.
26 / Operating System 1
Steps for Assigned Access are :
Create a local account for user account in Windows 10 PC.
Install an App from Windows Store.
Open Windows 10, (Press Windows key + A) settings -
navigate to Accounts options - Select the Family and other
Accounts option - click on "Setup assigned Access” link to
enforce on a particular user.
Take a note that "Assigned Access” feature is available only
with Professional, Enterprise and Education Editions of Windows
10. Also, a User can exit this option by pressing "Control Alt
Delete” keys.
2.2.2 Creating Local User Accounts in Windows 10

The steps to create the local user accounts are,
On a Windows 10 Machine, log in with a super user
credentials.
Open Run - lusrmgr.msc
Navigate to open the Option "Users” Right Click.
The second type of User Account in Windows 10 is Domain
Accounts.
A Domain is a logical boundary inside the company, any user
created on a Domain Controller Machine is termed as a Domain
Account.
By default, the Administrators group consists of Domain
Admins and Enterprise Admins.
The domain user and Domain guest are the other types of
accounts available.
A domain account is authenticated by a centralized domain
controller and can be customized by Group Policy.
2.2.3 Methods to log on Domain

A Domain user can log in to a Windows 10 (Domain
Computer) in following four methods:

Username and Password - A user can type his username and
Password
smartcard and PIN - User can access a Windows 10 PC by
using his Smartcard and PIN (Personal Identification
Number).
Virtual Smart card + PIN. (Note - Virtual smart card
technology from Microsoft offers comparable security benefits
to physical smart cards by using two-factor authentication.
Virtual smart cards emulate the functionality of physical smart
cards, but they use the Trusted Platform Module (TPM) chip
that is available on computers in many organizations)
Windows Hello and Microsoft Passport.
2.2.4 Windows 10 Account - Azure AD

The third type of User Account is Azure AD.
Azure AD (Active Directory) is the Microsoft Active Directory
in cloud. The complete infrastructure and services of Azure AD
is managed by Microsoft, since it is a cloud-based service.
Microsoft ensures that Azure AD is highly available and
accessible to everyone across the globe.
Take a look at the image, it shows the screen shot for
Windows 10 machine and the option you will use to connect to
the Azure AD. Join Windows 10 to Azure AD is similar to joining
local AD.
Users can log on to Windows 10 PC using Azure AD
credentials.
Windows 10 then trusts Azure AD and lets user access local
machine.
2.2.5 Windows 10 Account Type - Microsoft Account

The fourth account type supported by Windows 10 is
"Microsoft Account”.
Microsoft Account can be Outlook.com, Live.com, Xbox Live,
TechNet, Windows Live ID etc.
Benefits of Adding a Microsoft Account is:
It is used to sync selected data and settings across multiple
devices.
A Microsoft Account gives automatic access to One Drive,
Mail, Calendar and People etc.
It provides full access to Microsoft Store for downloading and
installing Apps.
After adding Microsoft account, you can access windows
store and can perform voice search in Cortana.
2.2.6 Features sync with Microsoft Account

The graphical representation for the benefits of Microsoft
Accounts. A Microsoft account user logging to a windows 10 PC
has the following features synced:
Passwords.
Internet Explorer Settings, History and bookmarks.
Windows Theme - A theme is a combination of desktop
background pictures, window colors, and sounds.
Language Preferences.
Accessibility Settings and other windows settings like, Drive
Encryption using Bit locker, Windows Store etc.
2.2.7 Introduction to Windows Hello

Windows Hello is a personal way to sign in to your
Windows 10 devices with just a look or a touch.
By using the feature of Windows Hello, you can unlock a
windows 10 device by applying to concept of identity verification.
Benefits of Windows Hello are:
Nothing to lose (for example, in a traditional login method if a
smartcard is lost, it is difficult to login)
If the user uses "Windows Hello” then no need to remember
passwords.
By using windows hello, your device is protected against

Hacking, because now the hacker needs your Windows 10
device and "Hello” identification method to break in to your
system.
2.2.8 Windows Hello - Methods of Identification

There are 4 methods of identification supported by Windows
10 feature "Windows Hello”.
Facial Recognition : A specialized hardware is used,
example Intel Real Sense 3D camera or Kinect technology-
based camera for 3D facial recognition.
Iris Recognition : This technology is basically Iris Scanning,
a specialized IRIS scanner which is based on Infrared
Technology is used to scan the Human iris, note IRIS
scanning is different from retina scanning.
Fingerprint recognition : A specialized biometric device that
is inbuilt in case of laptop or external USB fingerprint reader
can be used. The reader technology is Optical or Swipe
based.
If all the above methods fail, "PIN” (Personal Identification
Number) is used as the fallback method in case of
emergency.
2.2.9 Configuring Windows Hello feature in Windows 10 PC.

Steps to configuring Windows Hello on a Windows 10 device:
Step 1 : Installing the specialized hardware which may be
internal or external to your system. Note, these are the
hardware similar to one that you have seen in the previous
section.
Step 2 : On your Windows 10 machine, Open Settings - then
navigate to Accounts and select the sign-in option, the similar
option is illustrated in the image. Also the image shows the
setup for Fingerprint method, PIN method or Facial
recognition method as the picture password.
Disabling Windows Hello Features
The steps to disable the Windows Hello Feature on your
Windows 10 machine are:
Open the settings option, Select Accounts, Navigate to Sign-
in Options. The same is illustrated in the image.
If you want to remove Windows Hello authentication, then
select Windows Hello, and click on "Remove”, also you have to
disable or turn OFF "automatically unlock screen if we recognize
you” option.
2.1, 2.2 Check Your Progress

1) A ............ Account is used to enable users sign on to a
Windows device to access programs and data.
2) The users are created on a local computer, the Users
database is stored inside the local computer’s registry that
is .............. .
3) Microsoft ............... AD is the online cloud service from
Microsoft.
2.3 Need for Microsoft Passport

Before we understand, about Microsoft Passport, first let us
understand the various challenges in IT.
The users have problems in recall of passwords, if stored
locally or on a central repository the passwords can be revealed
by various hacking methods like "Brute-Force Attacks or
Phishing attacks”.
Additionally, there is a problem with Smart cards. The cost of
specialized hardware and smart card can be a problem for
medium-sized or small-scaled companies. Also setting of PKI
(Public Key Infrastructure) is a tedious work and it needs
specialized manpower. There is a risk of "Password Theft” also
there are new security challenges like "Pass the hash Attacks”.
Note - “Pass the Hash Attacks” is like accessing one device
can lead to access too many other resources stored on the

device. Pass the Hash attack is shown in the image. A remote
hacker obtains the remote access to the local Windows Client
PC (by using various hacking methods). Now since this
corporate client PC is connected to the Server, the hacker can
exploit all the connected devices inside the corporate network.
2.3.1 Microsoft Passport

After understanding, credential and security challenges for
User and enterprises. The one-point solution is Microsoft
Passport.
For IT Administration, a Microsoft Passport is based on
certificate or asymmetrical key pair.
From user point of view, a Microsoft passport is a Biometric
or PIN, or it can be a User gesture.
On-Premises Active Directory or Azure Active Directory
validates and proofs the user by OTP codes.
Windows Hello can be combined to Microsoft Passport to
unlock the credentials. The Windows Hello credential is used to
authenticate user to specific resource or services.
Passport and Windows Hello

The image illustrates, integration of Passport and Windows
Hello for a 2-step verification method.
A User has 2 methods to login, either the user can look in
camera for Face recognition/Iris scanning, OR the user can enter
the pin manually to access and Unlock the Windows Device. This
forms the first level of authentication.
The second level of authentication proceeds as Passport
container generates the keys for user and sends the OTP codes
thus forming the 2-step verification method.
2.3.2 Components of Microsoft Passport

Microsoft Passport debuted in Windows 10, is in conjunction
with a new security feature called Virtual Secure Mode, which
protects credentials from Pass-the-Hash attacks.
This slide shows the various necessary components of
Microsoft Passport.
The Windows 10 device forms one of the components, it will
contain the "Windows Hello” authentication method.
The user credentials are provisioned or created locally using
the PKI (that is Public Key Infrastructure).
Finally, the hardware is secured by TPM that is Trusted
Platform Module.
2.3.3 Understanding about TPM

TPM is Trusted Platform Module, It is a writable security chip
inside a device, and generally it is present on a business class
computer.
The keys and certificates stored in TPM is used for Bit locker,
Virtual Smart Card or Microsoft Passport.
TPM-based keys can be configured in a variety of ways.
One of the options is to make a TPM-based key
unavailable outside the TPM. This is good to mitigate
phishing attacks because it prevents the key from being
copied and used without the TPM. TPM-based keys can
also be configured to require an authorization value to use
them. If too many incorrect authorization guesses occur,
the TPM will activate its dictionary attack logic and prevent
further authorization value guesses.
TPM version 1.2 and 2.0, is supported on Windows 10 and
Windows Server 2016 Operating Systems.
2.3.4 Managing TPM

TPM (Trusted Platform Module) can be managed by following
4 methods:
First method is by using tpm.msc snap-in
Second method is by using BIOS or UEFI setup (it is shown
in the image)

The third method is by using Device Manager
Fourth Method is Bit Locker Control Panel
Additionally, TPM is can be managed by using PowerShell
commands like,
Clear-Tpm - resets a TPM to its default state
Disable-TpmAutoProvisioning - disables the default TPM
auto provisioning behaviour
Initialize-Tpm - it performs part of provisioning process for a
TPM
Set-TpmOwnerAuth - it changes the TPM owner
authorization value
Unblock-Tpm - is used to end a TPM lockout
2.4 Understanding Office 365

Office 365 is a Microsoft Online Cloud Solutions and it is
interconnected with Windows 10 device.
Office 365 is the best way to get the full Microsoft Office
experience. You can get latest versions of Office Suite like, Word,
Excel, PowerPoint and Outlook with Office 365.
Microsoft Office 365 is a suite of Paid subscription for
software and service.
2.4.1 Components of Office 365 are :

Office Application
Cloud Storage (It is One Drive storage up to 1TB).
Office 365 also supports hosted exchange and SharePoint
Skype for Business can be added as an add-on.
2.4.2 Office 365 Plans

Office 365 plans are classified for Individual users and
Enterprise companies.
Office 365 plans are based on following parameters :
Individual Users or Enterprises
The licenses of Office 365 are device based (that is it is based
on single device or multiple device)
Billing based on per user basis
2.4.3 Azure AD (Active Directory)

Microsoft Azure AD is the online cloud service from Microsoft.
Microsoft provisions, manages and maintains the servers,
and additionally ensures that services are always available
geographically.
Azure AD provides an affordable, easy to use solution to give
employees and business partner’s single sign-on (SSO) access
to thousands of cloud SaaS Applications like Office365,
Salesforce.com, Drop Box, and Concur. This Azure based online
service is preferred over On-premises AD server.
Features supported by Azure AD are :
Online Storage that is highly available
Service are Always-ON and scalable
Feature to create virtual machines
Applications and MDM (Mobile device management).
2.4.4 Need to connect to Azure AD?

Post-joining Windows 10 devices, the following are the
benefits, if you integrate Windows 10 Device with Azure AD :
SSO (Single Sign-On) automatically authenticates to both the
domains.
With Azure AD, there is no need to maintain separate
environments since the domain-joined computers and user
credentials are sync on Azure AD.
By adding a device to Windows 10, roaming settings and
MDM (Mobile Device Management) feature is added.
The Windows 10 Device becomes available to support Hybrid
environments.

2.4.5 Adding Azure AD account to Windows 10 Machine
This slide explains about adding a Azure AD account to
Windows 10 device
The eligible devices are :
Non-domain joined Windows 10 machines
Personal device for BYOD - Bring Your Own Device scenario
To join a Windows 10 device to Azure AD. Perform the
following steps:
On your Windows 10 Machine, Open Settings, Navigate to
Accounts Options, then select Work Access and click on Join
Azure AD
The same is illustrated in image take a note that in some build
version of Windows 10, “Connect to Work or School” is also
referred as Windows Azure AD
2.3, 2.4 Check Your Progress

1) On-Premises Active Directory or Azure Active Directory
validates and proofs the user by ........... codes.
2) .......... automatically authenticates to both the domains.
3) ................ plans are classified for Individual users and
Enterprise companies.
2.5 Summary
There are 4 types of User accounts supported in Windows
10. They are Local Accounts, Domain Accounts, Azure AD and
Microsoft Accounts.
Microsoft Account can be Outlook.com, Xbox Live, TechNet,
Windows Live ID etc.
Windows Hello is a personal way to sign in to your Windows
10 devices with just a look or a touch.
For IT Administration, a Microsoft Passport is based on
certificate or asymmetrical key pair.
Windows Hello supports 4 methods of identification :
Facial Recognition
Iris Recognition (different from retina scanning)
Fingerprint recognition
PIN.
From user point of view, a Microsoft passport is a Biometric
or PIN, or it can be a User gesture.
"Pass the Hash Attacks” - is about Access to one device can
lead to access too many other resources stored on the device.
TPM is Trusted Platform Module. The keys and certificates
stored in TPM is used for Bit locker, Virtual Smart Card or
Microsoft Passport.
Office 365 is a suite of Paid subscription for software and
services.
Microsoft provisions, manages, and maintains the servers
used for Azure AD.
SSO, Roaming Settings and MDM are some of the benefits
for adding Windows 10 to Azure AD.
2.6 Check Your Progress Answers

2.1, 2.2 Check Your Progress.
1) User
2) SAM
3) Azure
2.3, 2.4 Check Your Progress.

1) OTP
2) SSO (Single Sign-On)
3) Office 365
2.7 Questions for Self Study

1) What are the 4 types of accounts supported by Windows 10?
2) Define Windows Hello.

3) What are the methods of identification used in Windows
Hello?
4) Describe "Pass the Hash” attack.
5) What is the advantage of integration of Windows Hello with
Microsoft Passport?
6) Describe TPM in Windows 10.
7) What are the differences between Windows Azure AD and
Office 365?
Notes
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Notes
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Ch. 2 Final 19-9-2022

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ch. 2 Final 19-9-2022

Uploaded by

Copyright:

Available Formats

Chapter : 2

User Account Management

2.1 Types of Windows 10 Accounts

User Account Management / 25

2.2 Windows 10 Local Accounts

2.2.1 Windows 10 Local Account Feature -

2.2.2 Creating Local User Accounts in Windows 10

2.2.3 Methods to log on Domain

User Account Management / 27

2.2.4 Windows 10 Account - Azure AD

2.2.5 Windows 10 Account Type - Microsoft Account

2.2.6 Features sync with Microsoft Account

2.2.7 Introduction to Windows Hello

User Account Management / 29

2.2.8 Windows Hello - Methods of Identification

2.2.9 Configuring Windows Hello feature in Windows 10 PC.

2.1, 2.2 Check Your Progress

2.3 Need for Microsoft Passport

User Account Management / 31

2.3.1 Microsoft Passport

Passport and Windows Hello

2.3.2 Components of Microsoft Passport

2.3.3 Understanding about TPM

2.3.4 Managing TPM

User Account Management / 33

2.4 Understanding Office 365

2.4.1 Components of Office 365 are :

2.4.2 Office 365 Plans

2.4.3 Azure AD (Active Directory)

2.4.4 Need to connect to Azure AD?

User Account Management / 35

2.3, 2.4 Check Your Progress

2.6 Check Your Progress Answers

2.3, 2.4 Check Your Progress.

2.7 Questions for Self Study

User Account Management / 37

User Account Management / 39

You might also like