deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add vpn stuff

Browse Source
This commit is contained in:
jdeckerMS
2016-07-27 13:58:21 -07:00
parent 2f0549e8d0
commit 6e21c93633
4 changed files with 34 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
View File

@ -24,14 +24,15 @@ You can create a Group Policy or mobile device management (MDM) policy that will
## Prerequisites
- Both phone and PC must be running Windows 10, Version 1607.
- Both phone and PC must be running Windows 10, version 1607.
- The PC must be running Windows 10 Pro, Enterprise, or Education
- Both phone and PC must have Bluetooth.
- The **Microsoft Authenticator** app must be installed on the phone.
- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- The phone must be joined to Azure AD or have a work account added.
- VPN configuration profile must use certificate-based authentication.
- The VPN configuration profile must use certificate-based authentication.
## Set policies and get the app
## Set policies
To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
@ -42,13 +43,20 @@ To enable phone sign-in, you must enable the following policies using Group Poli
- Set **UsePassportForWork** to **True**
- Set **Remote\UseRemotePassport** to **True**
Everyone can get the **Microsoft Authenticator** app from the Windows Store. If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher.
## Configure VPN
To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
## Get the app
You will be able to get the [Microsoft Authenticator](https://blogs.technet.microsoft.com/enterprisemobility/2016/07/25/microsoft-authenticator-coming-august-15th/) app from the Windows Store on Aug 15. If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)

22
windows/keep-secure/prepare-people-to-use-microsoft-passport.md
View File

@ -50,16 +50,20 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC
## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN
If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
 
**Prerequisites:**
- The PC must be joined to the Active Directory domain or Azure AD cloud domain.
- The PC must have Bluetooth connectivity.
- The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
- The **Microsoft Authenticator** app must be installed on the phone.
- Both phone and PC must be running Windows 10, version 1607.
- The PC must be running Windows 10 Pro, Enterprise, or Education
- Both phone and PC must have Bluetooth.
- The **Microsoft Authenticator** app must be installed on the phone.
- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- The phone must be joined to Azure AD or have a work account added.
- The VPN configuration profile must use certificate-based authentication.
**Pair the PC and phone**
@ -75,11 +79,17 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
**Sign in to PC using the phone**
1. Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to.
1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
> **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
![select a device](images/phone-signin-device-select.png)
 
2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
**Connect to VPN**
You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect.
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)