Merge remote-tracking branch 'refs/remotes/origin/jdngcrs' into rs1

2025-05-15 14:57:23 +00:00 · 2016-06-07 09:55:26 -07:00 · 2016-06-07 09:55:26 -07:00 · 8910dcb3ba
commit 8910dcb3ba
parent 9977085238 3ec6ea2965
5 changed files with 141 additions and 33 deletions
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@ -6,6 +6,7 @@
 ### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
 ## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
 ### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
 ### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
 ### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 ### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
 ### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
--- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@ -0,0 +1,75 @@
 ---
 title: Enable phone sign-in to PC or VPN (Windows 10)
 description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone.
 keywords: ["identity", "PIN", "biometric", "Hello"]
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
 ---
 # Enable phone sign-in to PC or VPN
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call or to remember a PIN -- just tap the app.
 (add screenshot when I can get the app working)
 You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
 ## Prerequisites
 - Both phone and PC must be running Windows 10, Version 1607.
 - Both phone and PC must have Bluetooth.
 - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
 - The phone must be joined to Azure AD or have a work account added.
 - VPN configuration profile must use certificate-based authentication.
 ## Set policies and get the app
 To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
 -  Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**
    - Enable **Use Microsoft Passport for Work**
    - Enable **Remote Passport**
 - MDM: 
    - Set **UsePassportForWork** to **True**
    - Set **Remote\UseRemotePassport** to **True**
 To distribute the **Phone Sign-in** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher.
 - The **Phone Sign-in** app must be added to Windows Store for Business for your organization.
 - Users must install the **Phone sign-in** app on the phone.
 [Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
 ## Related topics
 [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
 [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
 [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
 [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 [Event ID 300 - Passport successfully created](passport-event-300.md)
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@ -21,28 +21,34 @@ You can create a Group Policy or mobile device management (MDM) policy that will
 ## Group Policy settings for Passport
-The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** &gt; **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Passport for Work**.
+<<<<<<< HEAD
 The following table lists the Group Policy settings that you can configure for Passport use in your workplace. *These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.*
 =======
 The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in **Computer Configuration** &gt; **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
 >>>>>>> refs/remotes/origin/rs1
 <table>
 <tr>
 <th colspan="2">Policy</th>
 <th>Options</th>
 </tr>
 <tr>
-<td>Use Microsoft Passport for Work</td>
+<td>Use Windows Hello for Business</td>
 <td></td>
 <td>
-<p><b>Not configured</b>: Users can provision Passport for Work, which encrypts their domain password.</p>
+<p><b>Not configured</b>: Users can provision Windows Hello for Business, which encrypts their domain password.</p>
-<p><b>Enabled</b>: Device provisions Passport for Work using keys or certificates for all users.</p>
+<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
-<p><b>Disabled</b>: Device does not provision Passport for Work for any user.</p>
+<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
 </td>
 </tr>
 <tr>
 <td>Use a hardware security device</td>
 <td></td>
 <td>
-<p><b>Not configured</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-<p><b>Enabled</b>: Passport for Work will only be provisioned using TPM.</p>
+<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM.</p>
-<p><b>Disabled</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
 </td>
 </tr>
 <tr>
@ -122,23 +128,23 @@ The following table lists the Group Policy settings that you can configure for P
 </td>
 </tr>
 <tr>
-<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a></td>
+<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone Sign-in</a></td>
 <td>
-<p>Use Remote Passport</p>
+<p>Use Phone Sign-in</p>
 <div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
 <div> </div>
 </td>
 <td>
-<p><b>Not configured</b>: Remote Passport is disabled.</p>
+<p><b>Not configured</b>: Phone sign-in is disabled.</p>
 <p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
-<p><b>Disabled</b>: Remote Passport is disabled.</p>
+<p><b>Disabled</b>: Phone sign-in is disabled.</p>
 </td>
 </tr>
 </table>
 ## MDM policy settings for Passport
-The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
+The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
 <table>
 <tr>
 <th colspan="2">Policy</th>
@ -152,9 +158,9 @@ The following table lists the MDM policy settings that you can configure for Pas
 <td>Device</td>
 <td>True</td>
 <td>
-<p>True: Passport will be provisioned for all users on the device.</p>
+<p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
-<p>False: Users will not be able to provision Passport. </p>
+<p>False: Users will not be able to provision Windows Hello for Business. </p>
-<div class="alert"><b>Note</b>  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.</div>
+<div class="alert"><b>Note</b>  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.</div>
 <div> </div>
 </td>
 </tr>
@ -164,8 +170,8 @@ The following table lists the MDM policy settings that you can configure for Pas
 <td>Device</td>
 <td>False</td>
 <td>
-<p>True: Passport will only be provisioned using TPM.</p>
+<p>True: Windows Hello for Business will only be provisioned using TPM.</p>
-<p>False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
 </td>
 </tr>
 <tr>
@ -176,8 +182,8 @@ The following table lists the MDM policy settings that you can configure for Pas
 <td>Device </td>
 <td>False</td>
 <td>
-<p>True: Biometrics can be used as a gesture in place of a PIN for domain logon.</p>
+<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.</p>
-<p>False: Only a PIN can be used as a gesture for domain logon.</p>
+<p>False: Only a PIN can be used as a gesture for domain sign-in.</p>
 </td>
 </tr>
 <tr>
@ -276,8 +282,8 @@ The following table lists the MDM policy settings that you can configure for Pas
 <td>Device or user</td>
 <td>False</td>
 <td>
-<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a> is enabled.</p>
+<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is enabled.</p>
-<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a> is disabled.</p>
+<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign0in</a> is disabled.</p>
 </td>
 </tr>
 </table>
@ -287,7 +293,7 @@ If policy is not configured to explicitly require letters or special characters,
 ## Prerequisites
-You’ll need this software to set Microsoft Passport policies in your enterprise.
+You’ll need this software to set Windows Hello for Business policies in your enterprise.
 <table>
 <colgroup>
 <col width="25%" />
@ -297,7 +303,7 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
 </colgroup>
 <thead>
 <tr class="header">
-<th align="left">Microsoft Passport mode</th>
+<th align="left">Windows Hello for Business mode</th>
 <th align="left">Azure AD</th>
 <th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview)</th>
 <th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview)</th>
@ -343,14 +349,16 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
 </tbody>
 </table>
-Configuration Manager and MDM provide the ability to manage Passport policy and to deploy and manage certificates protected by Passport.
+Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
 Azure AD provides the ability to register devices with your enterprise and to provision Passport for organization accounts.
 Active Directory provides the ability to authorize users and devices using keys protected by Passport if domain controllers are running Windows 10 and the Microsoft Passport provisioning service in Windows 10 AD FS.
-## Passport for BYOD
+Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
-Passport can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Passport PIN for unlocking the device and a separate work PIN for access to work resources.
+Active Directory provides the ability to authorize users and devices using keys protected by Windows Hello for Business if domain controllers are running Windows 10 and the Windows Hello for Business provisioning service in Windows 10 AD FS.
-The work PIN is managed using the same Passport policies that you can use to manage Passport on organization owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
+
 ## Windows Hello for BYOD
 Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and a separate work PIN for access to work resources.
 The work PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
 ## Related topics
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@ -33,6 +33,12 @@ After an initial two-step verification of the user during Passport enrollment, P
 As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization.
 ## The difference between Passport and Passport for Work
 *Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication.** 
 *Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. *
 ## Benefits of Microsoft Passport
 Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
@ -46,7 +52,13 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
 Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
 Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
 <<<<<<< HEAD
 > **Note**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 =======
 > **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 >>>>>>> refs/remotes/origin/rs1
 ## How Microsoft Passport works: key points
@ -56,7 +68,13 @@ Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remo
 -   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Passport gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
 -   Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
 -   PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates.
 <<<<<<< HEAD
 -   *Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.*
 =======
 -   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy.
 >>>>>>> refs/remotes/origin/rs1
 -   Certificates are added to the Passport container and are protected by the Passport gesture.
 -   Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run.
@ -91,6 +109,8 @@ When identity providers such as Active Directory or Azure AD enroll a certificat
 [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
 [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@ -55,14 +55,16 @@ If your policy allows it, people can add Windows Hello to their Passport. Window
 ## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC
 If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials.
-> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
 **Prerequisites:**
 -   The PC must be joined to the Active Directory domain or Azure AD cloud domain.
 -   The PC must have Bluetooth connectivity.
 -   The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
-   The free **Phone Sign-in** app must be installed on the phone.
+-   The **Phone Sign-in** app must be installed on the phone.
 **Pair the PC and phone**
 1.  On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
    ![bluetooth pairing](images/btpair.png)
@ -72,9 +74,11 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
    ![bluetooth pairing passcode](images/bt-passcode.png)
 3.  On the PC, tap **Yes**.
 **Sign in to PC using the phone**
 1.  Open the **Phone Sign-in** app and tap the name of the PC to sign in to.
-    > **Note: **  The first time that you run the Phone-Sign app, you must add an account.
+    > **Note: **  The first time that you run the **Phone Sign-in** app, you must add an account.
 2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.