Merge remote-tracking branch 'refs/remotes/origin/jdngcrs' into rs1

windows/keep-secure/TOC.md

@@ -4,15 +4,15 @@
 ## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
 ### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
 ### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
-## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 ### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
 ### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
-### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
-### [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-### [Event ID 300 - Passport successfully created](passport-event-300.md)
-## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+### [Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+### [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
 ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
 ## [Protect derived domain credentials with Credential Guard](credential-guard.md)

windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md

@@ -16,7 +16,7 @@ author: jdeckerMS
 -   Windows 10
 -   Windows 10 Mobile
 
-In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call or to remember a PIN -- just tap the app.
+In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
 
  (add screenshot when I can get the app working)
 
@@ -25,6 +25,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will
  ## Prerequisites
  
  - Both phone and PC must be running Windows 10, Version 1607.
+ - The PC must be running Windows 10 Pro, Enterprise, or Education
  - Both phone and PC must have Bluetooth.
  - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
  - The phone must be joined to Azure AD or have a work account added.
@@ -34,35 +35,35 @@ You can create a Group Policy or mobile device management (MDM) policy that will
 
 To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
 
--  Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**
-    - Enable **Use Microsoft Passport for Work**
-    - Enable **Remote Passport**
+-  Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
+    - Enable **Use Windows Hello for Business**
+    - Enable **Phone Sign-in**
 - MDM: 
     - Set **UsePassportForWork** to **True**
     - Set **Remote\UseRemotePassport** to **True**
 
-To distribute the **Phone Sign-in** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher.
- - The **Phone Sign-in** app must be added to Windows Store for Business for your organization.
- - Users must install the **Phone sign-in** app on the phone.
-
+Everyone can get the **Microsoft Authenticator** app from the Windows Store. If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher.
 
 [Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
 
+
 ## Related topics
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 
 
  

windows/keep-secure/implement-microsoft-passport-in-your-organization.md

@@ -1,6 +1,6 @@
 ---
-title: Implement Microsoft Passport in your organization (Windows 10)
-description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
+title: Implement Windows Hello in your organization (Windows 10)
+description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
 ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
 keywords: identity, PIN, biometric, Hello
 ms.prod: w10
@@ -10,24 +10,20 @@ ms.pagetype: security
 author: jdeckerMS
 ---
 
-# Implement Microsoft Passport in your organization
+# Implement Windows Hello for Business in your organization
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
-> **Important:**  The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Microsoft Passport for Work** policy settings to manage PINs.
+You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
+> **Important:**  The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Windows Hello for Business** policy settings to manage PINs.
  
 ## Group Policy settings for Passport
 
-<<<<<<< HEAD
+The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
 
-The following table lists the Group Policy settings that you can configure for Passport use in your workplace. *These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.*
 
-=======
-The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in **Computer Configuration** &gt; **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
->>>>>>> refs/remotes/origin/rs1
 <table>
 <tr>
 <th colspan="2">Policy</th>
@@ -283,7 +279,7 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>False</td>
 <td>
 <p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is enabled.</p>
-<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign0in</a> is disabled.</p>
+<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is disabled.</p>
 </td>
 </tr>
 </table>
@@ -366,14 +362,17 @@ The work PIN is managed using the same Windows Hello for Business policies that
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
  

windows/keep-secure/index.md

@@ -19,8 +19,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
 | [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
-| [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. |
-| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. |
+| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
 | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
 | [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |

windows/keep-secure/manage-identity-verification-using-microsoft-passport.md

@@ -1,6 +1,6 @@
 ---
-title: Manage identity verification using Microsoft Passport (Windows 10)
-description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
+title: Manage identity verification using Windows Hello for Business (Windows 10)
+description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
 ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
 keywords: identity, PIN, biometric, Hello
 ms.prod: w10
@@ -9,83 +9,79 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
 ---
-# Manage identity verification using Microsoft Passport
+# Manage identity verification using Windows Hello for Business
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
 
-Passport addresses the following problems with passwords:
+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+
+Hello addresses the following problems with passwords:
 -   Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
 -   Server breaches can expose symmetric network credentials.
 -   Passwords can be subject to [replay attacks](http://go.microsoft.com/fwlink/p/?LinkId=615673).
 -   Users can inadvertently expose their passwords due to [phishing attacks](http://go.microsoft.com/fwlink/p/?LinkId=615674).
 
-Passport lets users authenticate to:
+Hello lets users authenticate to:
 -   a Microsoft account.
 -   an Active Directory account.
 -   a Microsoft Azure Active Directory (AD) account.
 -   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
 
-After an initial two-step verification of the user during Passport enrollment, Passport is set up on the user's device and the user is asked to set a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Passport to authenticate users and help them to access protected resources and services.
+After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
 
-As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization.
+As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
 
-## The difference between Passport and Passport for Work
+ 
 
-*Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication.** 
 
-*Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. *
+## The difference between Windows Hello and Windows Hello for Business
+
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication. 
+
+- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
 
 ## Benefits of Microsoft Passport
 
 Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
 You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
 
-In Windows 10, Passport replaces passwords. The Passport provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Passport enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Passport keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Passport keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Passport key is created in software.
+In Windows 10, Hello replaces passwords. The Hello provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
 
 ![how authentication works in microsoft passport](images/authflow.png)
 
 Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
+Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
 
-Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
-<<<<<<< HEAD
+Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
 
-> **Note**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
-=======
 > **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
->>>>>>> refs/remotes/origin/rs1
+
  
-## How Microsoft Passport works: key points
+## How Windows Hello for Business works: key points
 
--   Passport credentials are based on certificate or asymmetrical key pair. Passport credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
--   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Microsoft Passport's public key to a user account during the registration step.
+-   Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
+-   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
 -   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
--   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Passport gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+-   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
 -   Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
--   PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates.
-<<<<<<< HEAD
-
+-   PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
 -   *Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.*
-
-=======
--   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy.
->>>>>>> refs/remotes/origin/rs1
--   Certificates are added to the Passport container and are protected by the Passport gesture.
+-   Certificates are added to the Hello container and are protected by the Hello gesture.
 -   Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run.
 
 ## Comparing key-based and certificate-based authentication
 
-Passport can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Passport. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Passport.
+Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
 
 Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
-EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Passport keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
+EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
 
-When identity providers such as Active Directory or Azure AD enroll a certificate in Passport, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
+When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
 
 ## Learn more
 
@@ -107,17 +103,19 @@ When identity providers such as Active Directory or Azure AD enroll a certificat
 
 ## Related topics
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 
 [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
- 
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+ 

windows/keep-secure/microsoft-passport-and-password-changes.md

@@ -1,6 +1,6 @@
 ---
-title: Microsoft Passport and password changes (Windows 10)
-description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device.
+title: Windows Hello and password changes (Windows 10)
+description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
 ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -14,17 +14,17 @@ author: jdeckerMS
 -   Windows 10
 -   Windows 10 Mobile
 
-When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. You can set up Passport for the same account on multiple devices. If the PIN or biometric is configured as part of a Microsoft Passport for Work, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Microsoft Passport for Work is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Passport.
+When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
 
 ## Example
 
 Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
 Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
 
-Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Passport on **Device A** knows will be outdated.
-> **Note:**  This example also applies to an Active Directory account when [Passport for Work is not implemented](implement-microsoft-passport-in-your-organization.md).
+Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
+> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
  
-## How to update Passport after you change your password on another device
+## How to update Hello after you change your password on another device
 
 1.  When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
 2.  Click **OK.**
@@ -35,16 +35,19 @@ Suppose instead that you sign in on **Device B** and change your password for yo
 
 ## Related topics
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
  

windows/keep-secure/microsoft-passport-errors-during-pin-creation.md

@@ -1,6 +1,6 @@
 ---
-title: Microsoft Passport errors during PIN creation (Windows 10)
-description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step.
+title: Windows Hello errors during PIN creation (Windows 10)
+description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
 ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
 keywords: PIN, error, create a work PIN
 ms.prod: w10
@@ -10,13 +10,13 @@ ms.pagetype: security
 author: jdeckerMS
 ---
 
-# Microsoft Passport errors during PIN creation
+# Windows Hello errors during PIN creation
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-When you set up Microsoft Passport in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
+When you set up Windows Hello in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
 
 ## Where is the error code?
 
@@ -221,14 +221,18 @@ For errors listed in this table, contact Microsoft Support for assistance.
 
 ## Related topics
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 

windows/keep-secure/passport-event-300.md

@@ -1,6 +1,6 @@
 ---
-title: Event ID 300 - Passport successfully created (Windows 10)
-description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD).
+title: Event ID 300 - Windows Hello successfully created (Windows 10)
+description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
 ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
 keywords: ngc
 ms.prod: w10
@@ -10,13 +10,13 @@ ms.pagetype: security
 author: jdeckerMS
 ---
 
-# Event ID 300 - Passport successfully created
+# Event ID 300 - Windows Hello successfully created
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
+This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
 
 ## Event details
 |              |                                                                                                                                                                                                                                                                                                               |
@@ -34,9 +34,20 @@ This is a normal condition. No further action is required.
 
 ## Related topics
 
-- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
-- [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
-- [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
-- [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)

windows/keep-secure/prepare-people-to-use-microsoft-passport.md

@@ -1,6 +1,6 @@
 ---
-title: Prepare people to use Microsoft Passport (Windows 10)
-description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization.
+title: Prepare people to use Windows Hello (Windows 10)
+description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
 ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
 keywords: identity, PIN, biometric, Hello
 ms.prod: w10
@@ -16,13 +16,13 @@ author: jdeckerMS
 -   Windows 10
 -   Windows 10 Mobile
 
-When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization by explaining how to use Passport.
+When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
 
-After enrollment in Passport, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
+After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
 
-Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Passport.
+Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
 
-People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Passport.
+People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
 
 ## On devices owned by the organization
 
@@ -36,32 +36,30 @@ Next, they select a way to connect. Tell the people in your enterprise which opt
 
 They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a work PIN** screen displays any complexity requirements that you have set, such as minimum length.
 
-After Passport is set up, people use their PIN to unlock the device, and that will automatically log them on.
+After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
 
 ## On personal devices
 
 People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. (This work account gesture doesn't affect the device unlock PIN.)
 
-Assure people that their work credentials and personal credentials are stored in separate containers; the enterprise has no access to their personal credentials.
-
 People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
 
 ## Using Windows Hello and biometrics
 
-If your policy allows it, people can add Windows Hello to their Passport. Windows Hello can be fingerprint, iris, and facial recognition, and is available to users only if the hardware supports it.
+If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
 
 ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
 
 ## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC
 
-If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials.
+If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
 
  
 **Prerequisites:**
 -   The PC must be joined to the Active Directory domain or Azure AD cloud domain.
 -   The PC must have Bluetooth connectivity.
 -   The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
--   The **Phone Sign-in** app must be installed on the phone.
+-   The **Microsoft Authenticator** app must be installed on the phone.
 
 **Pair the PC and phone**
 
@@ -77,21 +75,25 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
 
 **Sign in to PC using the phone**
 
-1.  Open the **Phone Sign-in** app and tap the name of the PC to sign in to.
-    > **Note: **  The first time that you run the **Phone Sign-in** app, you must add an account.
+1.  Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to.
+    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
      
 2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
 
 ## Related topics
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 

windows/keep-secure/why-a-pin-is-better-than-a-password.md

@@ -1,8 +1,8 @@
 ---
 title: Why a PIN is better than a password (Windows 10)
-description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
+description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
 ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
-keywords: pin, security, password
+keywords: pin, security, password, hello
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,36 +16,36 @@ author: jdeckerMS
 -   Windows 10
 -   Windows 10 Mobile
 
-Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Passport PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
+Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
 
 
 ## PIN is tied to the device
-One important difference between a password and a Passport PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
+One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
 
-Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Passport on each device.
+Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
 
 ## PIN is local to the device
 
 A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
 When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
-> **Note:**  For details on how Passport uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928).
+> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928).
  
 ## PIN is backed by hardware
 
-The Passport PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
+The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
 
-User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Microsoft Passport uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
 
 The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
 
 ## PIN can be complex
 
-The Passport PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
+The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
 
 ## What if someone steals the laptop or phone?
 
-To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
+To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
 You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
 
 **Configure BitLocker without TPM**
@@ -63,13 +63,13 @@ You can provide additional protection for laptops that don't have TPM by enablng
 2.  Set the number of invalid logon attempts to allow, and then click OK.
 
 ## Why do you need a PIN to use Windows Hello?
-Windows Hello is the biometric sign-in for Microsoft Passport in Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using Passport when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
 
-If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Passport.
+If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Hello.
 
 ## Related topics
 
 [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
  

windows/keep-secure/windows-hello-in-enterprise.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+author: jdeckerMS
 ---
 
 # Windows Hello biometrics in the enterprise
@@ -17,21 +17,23 @@ author: eross-msft
 
 Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
 
+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
 Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
 
 ##How does Windows Hello work?
-Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials.
+Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
 
-The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
+The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
 
 ## Why should I let my employees use Windows Hello?
 Windows Hello provides many benefits, including:
 
--   Combined with Microsoft Passport, it helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
+-   It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
 
 -   Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
 
--   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+-   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
 
 ## Where is Microsoft Hello data stored?
 The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
@@ -72,8 +74,8 @@ To allow facial recognition, you must have devices with integrated special infra
 -   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
 
 ## Related topics
-- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 - [Microsoft Passport guide](microsoft-passport-guide.md)
 - [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
 - [PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)

windows/manage/TOC.md

@@ -3,6 +3,7 @@
 ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
 ## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
 ## [Manage corporate devices](manage-corporate-devices.md)
+### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
 ### [New policies for Windows 10](new-policies-for-windows-10.md)
 ### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 ### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)

windows/manage/connect-to-remote-aadj-pc.md

@@ -0,0 +1,80 @@
+---
+title: Connect to remote Azure Active Directory-joined PC (Windows 10)
+description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
+ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
+keywords: ["MDM", "device management", "RDP", "AADJ"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+---
+
+# Connect to remote Azure Active Directory-joined PC
+
+
+**Applies to**
+
+-   Windows 10
+
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD).
+
+![Remote Desktop Connection client](images/rdp.png)
+
+## Set up
+
+- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
+- [Remote Credential Guard](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard?branch=bl-7475998), a new feature in Windows 10, version 1607, must be disabled on the remote PC.
+- On the PC that you want to connect to:
+  1. Open system properties for the remote PC. 
+  2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. 
+
+   ![Allow remote connections to this computer](images/allow-rdp.png)
+
+  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users, click **Select Users**.
+  4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
+
+ 
+## Supported configurations
+ 
+In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, if the domain is managed by System Center Configuration Manager
+
+In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription. 
+
+In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, with or without an MDM subscription. 
+
+ 
+In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
+
+- Password
+- Windows Hello for Business, with or without an MDM subscription. 
+
+
+
+## Related topics
+
+[How to use Remote Desktop](http://windows.microsoft.com/en-us/windows-10/how-to-use-remote-desktop)
+
+[Remote Desktop Connection: frequently asked questions](http://windows.microsoft.com/en-us/windows/remote-desktop-connection-faq#1TC=windows-8) (Windows 8.1 documentation, still applicable to Windows 10)
+
+
+ 
+
+ 
+
+
+
+
+

windows/manage/manage-corporate-devices.md

@@ -124,7 +124,7 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager &
 
 [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
 
- 
+[Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) 
 
  
 

windows/whats-new/TOC.md

@@ -8,7 +8,7 @@
 ## [Enterprise data protection (EDP)](edp-whats-new-overview.md)
 ## [Enterprise management for Windows 10 devices](device-management.md)
 ## [Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md)
-## [Microsoft Passport](microsoft-passport.md)
+## [Windows Hello](microsoft-passport.md)
 ## [Provisioning packages](new-provisioning-packages.md)
 ## [Security](security.md)
 ## [Security auditing](security-auditing.md)

windows/whats-new/index.md

@@ -64,8 +64,8 @@ Learn about new features in Windows 10 for IT professionals, such as Enterprise
 <td align="left"><p>Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>[Microsoft Passport](microsoft-passport.md)</p></td>
-<td align="left"><p>In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.</p></td>
+<td align="left"><p>[Windows Hello](microsoft-passport.md)</p></td>
+<td align="left"><p>In Windows 10, Windows Hello replaces passwords with strong two-factor authentication that consists of an enrolled device and a PIN or biometric gesture such as a fingerprint.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Provisioning packages](new-provisioning-packages.md)</p></td>

windows/whats-new/microsoft-passport.md

@@ -1,8 +1,8 @@
 ---
-title: Microsoft Passport overview (Windows 10)
-description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication.
+title: Windows Hello overview (Windows 10)
+description: In Windows 10, Windows Hello replaces passwords with strong two-factor authentication.
 ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B
-keywords: password, hello, fingerprint, iris, biometric
+keywords: password, hello, fingerprint, iris, biometric, passport
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@@ -10,23 +10,25 @@ ms.pagetype: mobile, security
 author: jdeckerMS
 ---
 
-# Microsoft Passport overview
+# Windows Hello overview
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
 
-Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
-Microsoft Passport also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions
+In Windows 10, Windows Hello replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
 
-## Benefits of Microsoft Passport
+Windows Hello lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Hello enrollment, Hello is set up on the user's device and the user sets a gesture, which can be biometric such as a fingerprint or a PIN. The user provides the gesture to verify identity; Windows then uses Hello to authenticate users and help them to access protected resources and services.
+Hello also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions
 
--   **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Microsoft Passport and Hello. From that point on, the employee can access enterprise resources by providing a gesture.
--   **Security**. Microsoft Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft 
+## Benefits of Windows Hello
+
+-   **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Windows Hello. From that point on, the employee can access enterprise resources by providing a gesture.
+-   **Security**. Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft 
 
 Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs).
-[Learn how to implement and manage Microsoft Passport in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md)
+[Learn how to implement and manage Windows Hello for Business in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md)
 
 ## Learn more