diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 37f424549a..d201710b4a 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -23,10 +23,10 @@ You can create a Group Policy or mobile device management (MDM) policy that will <<<<<<< HEAD -The following table lists the Group Policy settings that you can configure for Passport use in your workplace. *These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**.* +The following table lists the Group Policy settings that you can configure for Passport use in your workplace. *These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.* ======= -The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**. +The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. >>>>>>> refs/remotes/origin/rs1 @@ -34,21 +34,21 @@ The following table lists the Group Policy settings that you can configure for P - + @@ -128,23 +128,23 @@ The following table lists the Group Policy settings that you can configure for P - +
Options
Use Microsoft Passport for WorkUse Windows Hello for Business -

Not configured: Users can provision Passport for Work, which encrypts their domain password.

-

Enabled: Device provisions Passport for Work using keys or certificates for all users.

-

Disabled: Device does not provision Passport for Work for any user.

+

Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

+

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

+

Disabled: Device does not provision Windows Hello for Business for any user.
Use a hardware security device -

Not configured: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-

Enabled: Passport for Work will only be provisioned using TPM.

-

Disabled: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+

Enabled: Windows Hello for Business will only be provisioned using TPM.

+

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Remote PassportPhone Sign-in -

Use Remote Passport

+

Use Phone Sign-in

Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
 -

Not configured: Remote Passport is disabled.

+

Not configured: Phone sign-in is disabled.

Enabled: Users can use a portable, registered device as a companion device for desktop authentication.

-

Disabled: Remote Passport is disabled.

+

Disabled: Phone sign-in is disabled.
## MDM policy settings for Passport -The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070). +The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070). @@ -158,9 +158,9 @@ The following table lists the MDM policy settings that you can configure for Pas @@ -170,8 +170,8 @@ The following table lists the MDM policy settings that you can configure for Pas @@ -182,8 +182,8 @@ The following table lists the MDM policy settings that you can configure for Pas @@ -282,8 +282,8 @@ The following table lists the MDM policy settings that you can configure for Pas
PolicyDevice True -

True: Passport will be provisioned for all users on the device.

-

False: Users will not be able to provision Passport.

-
Note  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.
+

True: Windows Hello for Business will be provisioned for all users on the device.

+

False: Users will not be able to provision Windows Hello for Business.

+
Note  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
 
Device False -

True: Passport will only be provisioned using TPM.

-

False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+

True: Windows Hello for Business will only be provisioned using TPM.

+

False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Device False -

True: Biometrics can be used as a gesture in place of a PIN for domain logon.

-

False: Only a PIN can be used as a gesture for domain logon.

+

True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.

+

False: Only a PIN can be used as a gesture for domain sign-in.
Device or user False -

True: Remote Passport is enabled.

-

False: Remote Passport is disabled.

+

True: Phone sign-in is enabled.

+

False: Phone sign0in is disabled.
@@ -293,7 +293,7 @@ If policy is not configured to explicitly require letters or special characters,   ## Prerequisites -You’ll need this software to set Microsoft Passport policies in your enterprise. +You’ll need this software to set Windows Hello for Business policies in your enterprise. @@ -303,7 +303,7 @@ You’ll need this software to set Microsoft Passport policies in your enterpris - + @@ -349,14 +349,16 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
Microsoft Passport modeWindows Hello for Business mode Azure AD Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview) Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview)
  -Configuration Manager and MDM provide the ability to manage Passport policy and to deploy and manage certificates protected by Passport. -Azure AD provides the ability to register devices with your enterprise and to provision Passport for organization accounts. -Active Directory provides the ability to authorize users and devices using keys protected by Passport if domain controllers are running Windows 10 and the Microsoft Passport provisioning service in Windows 10 AD FS. +Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business. -## Passport for BYOD +Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. -Passport can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Passport PIN for unlocking the device and a separate work PIN for access to work resources. -The work PIN is managed using the same Passport policies that you can use to manage Passport on organization owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244). +Active Directory provides the ability to authorize users and devices using keys protected by Windows Hello for Business if domain controllers are running Windows 10 and the Windows Hello for Business provisioning service in Windows 10 AD FS. + +## Windows Hello for BYOD + +Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and a separate work PIN for access to work resources. +The work PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244). ## Related topics