diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md index 25345e4195..9efc567dde 100644 --- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md +++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md @@ -16,13 +16,35 @@ author: jdeckerMS - Windows 10 - Windows 10 Mobile +In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call. + You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. ## Prerequisites + - Both phone and PC must be running Windows 10, Version 1607. + - Both phone and PC must have Bluetooth. + - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. + - The phone must be joined to Azure AD or have a work account added. + - VPN configuration profile must use certificate-based authentication. +## Set policies and get the app + +To enable phone sign-in, you must enable the following policies using Group Policy or MDM. + +- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work** + - Enable **Use Microsoft Passport for Work** + - Enable **Remote Passport** +- MDM: + - Set **UsePassportForWork** to **True** + - Set **Remote\UseRemotePassport** to **True** + +To distribute the **Phone Sign-in** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher. + - The **Phone Sign-in** app must be added to Windows Store for Business for your organization. + - Users must install the **Phone sign-in** app on the phone. +[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote) ## Related topics diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 74cebb3914..d552d29f2b 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -55,14 +55,16 @@ If your policy allows it, people can add Windows Hello to their Passport. Window ## Use a phone to sign in to a PC If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials. -> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. +   **Prerequisites:** - The PC must be joined to the Active Directory domain or Azure AD cloud domain. - The PC must have Bluetooth connectivity. - The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone. -- The free **Phone Sign-in** app must be installed on the phone. +- The **Phone Sign-in** app must be installed on the phone. + **Pair the PC and phone** + 1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing. ![bluetooth pairing](images/btpair.png) @@ -72,9 +74,11 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows ![bluetooth pairing passcode](images/bt-passcode.png) 3. On the PC, tap **Yes**. + **Sign in to PC using the phone** + 1. Open the **Phone Sign-in** app and tap the name of the PC to sign in to. - > **Note: **  The first time that you run the Phone-Sign app, you must add an account. + > **Note: **  The first time that you run the **Phone Sign-in** app, you must add an account.   2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.