Merge remote-tracking branch 'refs/remotes/origin/rs1' into Aug2

# Conflicts: # windows/keep-secure/TOC.md # windows/keep-secure/implement-microsoft-passport-in-your-organization.md # windows/keep-secure/index.md # windows/keep-secure/prepare-people-to-use-microsoft-passport.md # windows/keep-secure/windows-hello-in-enterprise.md
2025-06-18 11:53:37 +00:00 · 2016-07-29 15:50:07 +10:00
parent 9891b674be 96bce5909d
commit d18148961f
50 changed files with 104 additions and 30 deletions
--- a/windows/keep-secure/configure-s-mime.md
+++ b/windows/keep-secure/configure-s-mime.md
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---


--- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@ -6,6 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: high
 ---

 # Enable phone sign-in to PC or VPN
@ -18,20 +19,24 @@ author: jdeckerMS

 In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.

- (add screenshot when I can get the app working)
+![Sign in to a device](images/phone-signin-menu.png)
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.

 You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.

 ## Prerequisites
 
- - Both phone and PC must be running Windows 10, Version 1607.
+ - Both phone and PC must be running Windows 10, version 1607.
 - The PC must be running Windows 10 Pro, Enterprise, or Education
 - Both phone and PC must have Bluetooth.
+ - The **Microsoft Authenticator** app must be installed on the phone.
 - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
 - The phone must be joined to Azure AD or have a work account added.
- - VPN configuration profile must use certificate-based authentication.
+ - The VPN configuration profile must use certificate-based authentication.
 
-## Set policies and get the app
+## Set policies

 To enable phone sign-in, you must enable the following policies using Group Policy or MDM.

@ -42,13 +47,20 @@ To enable phone sign-in, you must enable the following policies using Group Poli
    - Set **UsePassportForWork** to **True**
    - Set **Remote\UseRemotePassport** to **True**

-Everyone can get the **Microsoft Authenticator** app from the Windows Store. If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher.
+## Configure VPN 
+
+To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
+
+- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
+- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
+
+## Get the app
+
+If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).

 [Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)


-
-
 ## Related topics

 [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
--- a/windows/keep-secure/images/phone-signin-device-select.png
+++ b/windows/keep-secure/images/phone-signin-device-select.png
--- a/windows/keep-secure/images/phone-signin-menu.png
+++ b/windows/keep-secure/images/phone-signin-menu.png
--- a/windows/keep-secure/images/phone-signin-settings.png
+++ b/windows/keep-secure/images/phone-signin-settings.png
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---

 # Implement Microsoft Passport in your organization
--- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---

 # Install digital certificates on Windows 10 Mobile
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 # Manage identity verification using Microsoft Passport

--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 # Microsoft Passport and password changes

--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---

 # Microsoft Passport errors during PIN creation
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---

 # Event ID 300 - Passport successfully created
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---

 # Prepare people to use Microsoft Passport
@ -52,16 +53,23 @@ If your policy allows it, people can add Windows Hello to their Passport. Window

 ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)

-## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC
+## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN

-If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials.
-> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
  
 **Prerequisites:**
-   The PC must be joined to the Active Directory domain or Azure AD cloud domain.
-   The PC must have Bluetooth connectivity.
-   The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
-   The free **Phone Sign-in** app must be installed on the phone.
+   
+- Both phone and PC must be running Windows 10, version 1607.
+- The PC must be running Windows 10 Pro, Enterprise, or Education
+- Both phone and PC must have Bluetooth.
+- The **Microsoft Authenticator** app must be installed on the phone.
+- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+- The phone must be joined to Azure AD or have a work account added.
+- The VPN configuration profile must use certificate-based authentication.
+
 **Pair the PC and phone**
 1.  On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.

@ -73,11 +81,19 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
    
 3.  On the PC, tap **Yes**.
 **Sign in to PC using the phone**
-1.  Open the **Phone Sign-in** app and tap the name of the PC to sign in to.
-    > **Note: **  The first time that you run the Phone-Sign app, you must add an account.
+
+1.  Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
+    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
+    
+    ![select a device](images/phone-signin-device-select.png)
+
     
 2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.

+**Connect to VPN**
+
+You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. 
+
 ## Related topics

 [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
--- a/windows/keep-secure/vpn-profile-options.md
+++ b/windows/keep-secure/vpn-profile-options.md
@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
+localizationpriority: medium
 ---

 # VPN profile options
--- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---

 # Why a PIN is better than a password
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@ -7,7 +7,8 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+author: jdeckerMS
+localizationpriority: high
 ---

 # Windows Hello biometrics in the enterprise
@ -17,21 +18,23 @@ author: eross-msft

 Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.

+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
 Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.

 ##How does Windows Hello work?
-Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials.
+Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.

-The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
+The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.

 ## Why should I let my employees use Windows Hello?
 Windows Hello provides many benefits, including:

-   Combined with Microsoft Passport, it helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
+-   It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.

 -   Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!

-   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+-   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.

 ## Where is Microsoft Hello data stored?
 The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
@ -72,8 +75,8 @@ To allow facial recognition, you must have devices with integrated special infra
 -   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%

 ## Related topics
- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 - [Microsoft Passport guide](microsoft-passport-guide.md)
 - [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
 - [PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)