Merge remote-tracking branch 'refs/remotes/origin/jdrs' into rs1

2025-05-16 07:17:24 +00:00 · 2016-07-28 12:13:25 -07:00 · 2016-07-28 12:13:25 -07:00 · a7017d9fbc
commit a7017d9fbc
parent f5df452455 13d1384341
9 changed files with 44 additions and 20 deletions
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@ -90,7 +90,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m

 - Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud.
 - A custom Start layout and sign in background image are set.
- Prohibits Microsoft Accounts (MSAs) from being created.
 - Prohibits unlocking the PC to developer mode.
 - Prohibits untrusted Windows Store apps from being installed.
 - Prohibits students from removing MDM.
@ -242,7 +241,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m
 </tr> 
 <tr> <td colspan="2"> <p> <strong>Windows Settings</strong> > <strong>Security Settings</strong> > <strong>Local Policies</strong> > <strong>Security Options</strong></p> </td> 
 </tr> 
-<tr><td><p>Accounts: Block Microsoft accounts</p></td><td><p>Enabled</p></td></tr>
+<tr><td><p>Accounts: Block Microsoft accounts</p><p>**Note** Microsoft accounts can still be used in apps.</p></td><td><p>Enabled</p></td></tr>
 <tr> <td> <p> Interactive logon: Do not display last user name </p> </td> <td> <p> Enabled</p> </td>
 </tr> 
 <tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p> Disabled</p> </td> 
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@ -31,7 +31,9 @@ When running above the lock screen:

 - The hardware print screen button is disabled 

- Content within the app will show up as black in screen capturing/sharing software Copy/paste is disabled 
+- Content within the app will show up as black in screen capturing/sharing software 
+
+- System clipboard is cleared 

 - Web apps can query the processes currently running in the user’s device

--- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@ -18,20 +18,24 @@ author: jdeckerMS

 In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.

- (add screenshot when I can get the app working)
+![Sign in to a device](images/phone-signin-menu.png)
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.

 You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.

 ## Prerequisites
 
- - Both phone and PC must be running Windows 10, Version 1607.
+ - Both phone and PC must be running Windows 10, version 1607.
 - The PC must be running Windows 10 Pro, Enterprise, or Education
 - Both phone and PC must have Bluetooth.
+ - The **Microsoft Authenticator** app must be installed on the phone.
 - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
 - The phone must be joined to Azure AD or have a work account added.
- - VPN configuration profile must use certificate-based authentication.
+ - The VPN configuration profile must use certificate-based authentication.
 
-## Set policies and get the app
+## Set policies

 To enable phone sign-in, you must enable the following policies using Group Policy or MDM.

@ -42,13 +46,20 @@ To enable phone sign-in, you must enable the following policies using Group Poli
    - Set **UsePassportForWork** to **True**
    - Set **Remote\UseRemotePassport** to **True**

-Everyone can get the **Microsoft Authenticator** app from the Windows Store. If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher.
+## Configure VPN 
+
+To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
+
+- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
+- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
+
+## Get the app
+
+If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).

 [Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)


-
-
 ## Related topics

 [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
--- a/windows/keep-secure/images/phone-signin-device-select.png
+++ b/windows/keep-secure/images/phone-signin-device-select.png
--- a/windows/keep-secure/images/phone-signin-menu.png
+++ b/windows/keep-secure/images/phone-signin-menu.png
--- a/windows/keep-secure/images/phone-signin-settings.png
+++ b/windows/keep-secure/images/phone-signin-settings.png
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@ -50,16 +50,23 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci

 ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)

-## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC
+## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN

 If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.

+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
  
 **Prerequisites:**
-   The PC must be joined to the Active Directory domain or Azure AD cloud domain.
-   The PC must have Bluetooth connectivity.
-   The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
-   The **Microsoft Authenticator** app must be installed on the phone.
+   
+- Both phone and PC must be running Windows 10, version 1607.
+- The PC must be running Windows 10 Pro, Enterprise, or Education
+- Both phone and PC must have Bluetooth.
+- The **Microsoft Authenticator** app must be installed on the phone.
+- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+- The phone must be joined to Azure AD or have a work account added.
+- The VPN configuration profile must use certificate-based authentication.

 **Pair the PC and phone**

@ -75,11 +82,17 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows

 **Sign in to PC using the phone**

-1.  Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to.
+1.  Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
+    
+    ![select a device](images/phone-signin-device-select.png)
     
 2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.

+**Connect to VPN**
+
+You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. 
+
 ## Related topics

 [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
--- a/windows/manage/manage-tips-and-suggestions.md
+++ b/windows/manage/manage-tips-and-suggestions.md
@ -16,7 +16,6 @@ author: jdeckerMS

 -   Windows 10

-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>

 Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, as well as app suggestions from the Windows Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Windows Store. Examples of such user experiences include: 

--- a/windows/manage/set-up-shared-or-guest-pc.md
+++ b/windows/manage/set-up-shared-or-guest-pc.md
@ -15,7 +15,7 @@ author: jdeckerMS

 -   Windows 10

-Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise  and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise.
+Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise  and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.

 > **Note:** If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.

@ -245,8 +245,8 @@ Shared PC mode sets local group policies to configure the device. Some of these
 <tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>User Profiles</strong></p></td></tr> 
 <tr> <td> <p>Turn off the advertising ID</p></td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
 <tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components </strong></p></td></tr> 
-<tr> <td> <p>Do not show Windows Tips </p>*Only on Pro, Enterprise, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td> <p>Turn off Microsoft consumer experiences </p>*Only on Pro, Enterprise, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
+<tr> <td> <p>Do not show Windows Tips </p>*Only on Pro, Enterprise, Pro Education, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
+<tr> <td> <p>Turn off Microsoft consumer experiences </p>*Only on Pro, Enterprise, Pro Education, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
 <tr> <td> <p>Microsoft Passport for Work</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
 <tr> <td> <p>Prevent the usage of OneDrive for file storage</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
 <tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong></p></td></tr>