From 9f07a73df1dedffd95bbcf3e6ea4b0e470b8b98f Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 5 May 2016 12:32:19 -0700 Subject: [PATCH 1/8] RS1 updates --- ...mplement-microsoft-passport-in-your-organization.md | 2 +- ...e-identity-verification-using-microsoft-passport.md | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index e7c4e15101..f1a3a4f58e 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -27,7 +27,7 @@ The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. ## Group Policy settings for Passport -The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**. +The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**. diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 52200ca0ed..3789c9f01b 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -43,6 +43,12 @@ After an initial two-step verification of the user during Passport enrollment, P As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization. +## The difference between Passport and Passport for Work + +Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication. + +Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. + ## Benefits of Microsoft Passport @@ -60,7 +66,7 @@ Passport helps protect user identities and user credentials. Because no password Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. -**Note**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. +> **Note**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.   @@ -79,7 +85,7 @@ Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remo - PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates. -- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy. +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. - Certificates are added to the Passport container and are protected by the Passport gesture. From 26327a1cc3235943d828a3e28b5a93fc6aff5259 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 08:40:51 -0700 Subject: [PATCH 2/8] italicized changed content --- .../implement-microsoft-passport-in-your-organization.md | 2 +- ...manage-identity-verification-using-microsoft-passport.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index f1a3a4f58e..b57ff86642 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -27,7 +27,7 @@ The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. ## Group Policy settings for Passport -The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**. +The following table lists the Group Policy settings that you can configure for Passport use in your workplace. *These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**.*
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 3789c9f01b..a96cf5ed51 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -43,11 +43,11 @@ After an initial two-step verification of the user during Passport enrollment, P As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization. -## The difference between Passport and Passport for Work +## *The difference between Passport and Passport for Work Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication. -Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. +Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. * ## Benefits of Microsoft Passport @@ -85,7 +85,7 @@ Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remo - PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates. -- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. +- *Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.* - Certificates are added to the Passport container and are protected by the Passport gesture. From dd3eb2e307adbc1e278d0de81ae092d4622d8fed Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 08:52:01 -0700 Subject: [PATCH 3/8] tweak --- .../manage-identity-verification-using-microsoft-passport.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index a96cf5ed51..63434a14be 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -43,9 +43,9 @@ After an initial two-step verification of the user during Passport enrollment, P As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization. -## *The difference between Passport and Passport for Work +## The difference between Passport and Passport for Work -Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication. +*Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication. Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. * From 18a81c8a109f54e029a80438aaa5ecde9f01478d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 09:13:20 -0700 Subject: [PATCH 4/8] tweak italics --- .../manage-identity-verification-using-microsoft-passport.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 63434a14be..322087beec 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -45,9 +45,9 @@ As an administrator in an enterprise or educational organization, you can create ## The difference between Passport and Passport for Work -*Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication. +*Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication.** -Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. * +*Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. * ## Benefits of Microsoft Passport From baa08614e61b4c8a644250591aae80075e8a7879 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 23 May 2016 10:04:35 -0700 Subject: [PATCH 5/8] new topic --- windows/keep-secure/TOC.md | 1 + .../enable-phone-signin-to-pc-and-vpn.md | 51 +++++++++++++++++++ ...y-verification-using-microsoft-passport.md | 2 + 3 files changed, 54 insertions(+) create mode 100644 windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 56f8c27db1..43f36e2421 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -6,6 +6,7 @@ ### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md) ## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) ### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) +### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) ### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) ### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) ### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md new file mode 100644 index 0000000000..25345e4195 --- /dev/null +++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md @@ -0,0 +1,51 @@ +--- +title: Enable phone sign-in to PC or VPN (Windows 10) +description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone. +keywords: ["identity", "PIN", "biometric", "Hello"] +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +--- + +# Enable phone sign-in to PC or VPN + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. + + ## Prerequisites + + + + + +## Related topics + +[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) + +[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) + +[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) + +[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) + +[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) + +[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) + +[Event ID 300 - Passport successfully created](passport-event-300.md) + + +  + +  + + + + + diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 322087beec..7778988999 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -126,6 +126,8 @@ When identity providers such as Active Directory or Azure AD enroll a certificat [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) +[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) + [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) From 71f13127a122b8f3bbc0f81d53d5d073e9e905f4 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 23 May 2016 12:42:05 -0700 Subject: [PATCH 6/8] add phone sign-in content --- .../enable-phone-signin-to-pc-and-vpn.md | 22 +++++++++++++++++++ ...repare-people-to-use-microsoft-passport.md | 10 ++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md index 25345e4195..9efc567dde 100644 --- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md +++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md @@ -16,13 +16,35 @@ author: jdeckerMS - Windows 10 - Windows 10 Mobile +In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call. + You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. ## Prerequisites + - Both phone and PC must be running Windows 10, Version 1607. + - Both phone and PC must have Bluetooth. + - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. + - The phone must be joined to Azure AD or have a work account added. + - VPN configuration profile must use certificate-based authentication. +## Set policies and get the app + +To enable phone sign-in, you must enable the following policies using Group Policy or MDM. + +- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work** + - Enable **Use Microsoft Passport for Work** + - Enable **Remote Passport** +- MDM: + - Set **UsePassportForWork** to **True** + - Set **Remote\UseRemotePassport** to **True** + +To distribute the **Phone Sign-in** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher. + - The **Phone Sign-in** app must be added to Windows Store for Business for your organization. + - Users must install the **Phone sign-in** app on the phone. +[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote) ## Related topics diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 74cebb3914..d552d29f2b 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -55,14 +55,16 @@ If your policy allows it, people can add Windows Hello to their Passport. Window ## Use a phone to sign in to a PC If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials. -> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. +   **Prerequisites:** - The PC must be joined to the Active Directory domain or Azure AD cloud domain. - The PC must have Bluetooth connectivity. - The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone. -- The free **Phone Sign-in** app must be installed on the phone. +- The **Phone Sign-in** app must be installed on the phone. + **Pair the PC and phone** + 1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing. ![bluetooth pairing](images/btpair.png) @@ -72,9 +74,11 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows ![bluetooth pairing passcode](images/bt-passcode.png) 3. On the PC, tap **Yes**. + **Sign in to PC using the phone** + 1. Open the **Phone Sign-in** app and tap the name of the PC to sign in to. - > **Note: **  The first time that you run the Phone-Sign app, you must add an account. + > **Note: **  The first time that you run the **Phone Sign-in** app, you must add an account.   2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account. From 260f07612b003448d601a68af10792e7edded880 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 23 May 2016 13:01:28 -0700 Subject: [PATCH 7/8] sync to change branches --- windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md index 9efc567dde..96d6474d1c 100644 --- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md +++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md @@ -16,7 +16,9 @@ author: jdeckerMS - Windows 10 - Windows 10 Mobile -In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call. +In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call or to remember a PIN -- just tap the app. + + (add screenshot when I can get the app working) You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. From 3ec6ea296572a415c29cd241e53e4cdd8174fa87 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 7 Jun 2016 09:54:46 -0700 Subject: [PATCH 8/8] policy name changes --- ...microsoft-passport-in-your-organization.md | 64 ++++++++++--------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 37f424549a..d201710b4a 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -23,10 +23,10 @@ You can create a Group Policy or mobile device management (MDM) policy that will <<<<<<< HEAD -The following table lists the Group Policy settings that you can configure for Passport use in your workplace. *These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**.* +The following table lists the Group Policy settings that you can configure for Passport use in your workplace. *These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.* ======= -The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**. +The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. >>>>>>> refs/remotes/origin/rs1
@@ -34,21 +34,21 @@ The following table lists the Group Policy settings that you can configure for P - + @@ -128,23 +128,23 @@ The following table lists the Group Policy settings that you can configure for P - +
Options
Use Microsoft Passport for WorkUse Windows Hello for Business -

Not configured: Users can provision Passport for Work, which encrypts their domain password.

-

Enabled: Device provisions Passport for Work using keys or certificates for all users.

-

Disabled: Device does not provision Passport for Work for any user.

+

Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

+

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

+

Disabled: Device does not provision Windows Hello for Business for any user.
Use a hardware security device -

Not configured: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-

Enabled: Passport for Work will only be provisioned using TPM.

-

Disabled: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+

Enabled: Windows Hello for Business will only be provisioned using TPM.

+

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Remote PassportPhone Sign-in -

Use Remote Passport

+

Use Phone Sign-in

Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
 -

Not configured: Remote Passport is disabled.

+

Not configured: Phone sign-in is disabled.

Enabled: Users can use a portable, registered device as a companion device for desktop authentication.

-

Disabled: Remote Passport is disabled.

+

Disabled: Phone sign-in is disabled.
## MDM policy settings for Passport -The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070). +The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070). @@ -158,9 +158,9 @@ The following table lists the MDM policy settings that you can configure for Pas @@ -170,8 +170,8 @@ The following table lists the MDM policy settings that you can configure for Pas @@ -182,8 +182,8 @@ The following table lists the MDM policy settings that you can configure for Pas @@ -282,8 +282,8 @@ The following table lists the MDM policy settings that you can configure for Pas
PolicyDevice True -

True: Passport will be provisioned for all users on the device.

-

False: Users will not be able to provision Passport.

-
Note  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.
+

True: Windows Hello for Business will be provisioned for all users on the device.

+

False: Users will not be able to provision Windows Hello for Business.

+
Note  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
 
Device False -

True: Passport will only be provisioned using TPM.

-

False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

+

True: Windows Hello for Business will only be provisioned using TPM.

+

False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Device False -

True: Biometrics can be used as a gesture in place of a PIN for domain logon.

-

False: Only a PIN can be used as a gesture for domain logon.

+

True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.

+

False: Only a PIN can be used as a gesture for domain sign-in.
Device or user False -

True: Remote Passport is enabled.

-

False: Remote Passport is disabled.

+

True: Phone sign-in is enabled.

+

False: Phone sign0in is disabled.
@@ -293,7 +293,7 @@ If policy is not configured to explicitly require letters or special characters,   ## Prerequisites -You’ll need this software to set Microsoft Passport policies in your enterprise. +You’ll need this software to set Windows Hello for Business policies in your enterprise. @@ -303,7 +303,7 @@ You’ll need this software to set Microsoft Passport policies in your enterpris - + @@ -349,14 +349,16 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
Microsoft Passport modeWindows Hello for Business mode Azure AD Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview) Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview)
  -Configuration Manager and MDM provide the ability to manage Passport policy and to deploy and manage certificates protected by Passport. -Azure AD provides the ability to register devices with your enterprise and to provision Passport for organization accounts. -Active Directory provides the ability to authorize users and devices using keys protected by Passport if domain controllers are running Windows 10 and the Microsoft Passport provisioning service in Windows 10 AD FS. +Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business. -## Passport for BYOD +Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. -Passport can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Passport PIN for unlocking the device and a separate work PIN for access to work resources. -The work PIN is managed using the same Passport policies that you can use to manage Passport on organization owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244). +Active Directory provides the ability to authorize users and devices using keys protected by Windows Hello for Business if domain controllers are running Windows 10 and the Windows Hello for Business provisioning service in Windows 10 AD FS. + +## Windows Hello for BYOD + +Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and a separate work PIN for access to work resources. +The work PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244). ## Related topics