Policy

Configure device unlock factors

Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified. If you enable this policy setting, the user will have to use one factor from each list to successfully unlock. If you disable or do not configure this policy setting, users can continue to unlock with existing unlock options. For more information see: https://go.microsoft.com/fwlink/?linkid=849684

Policy
Pack Microsoft Windows
Category Windows Components / Windows Hello for Business
Policy ID bf01bbac959e
Internal name MSPassport_UseDeviceUnlock

Registry

Copy registry mappings

HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock\GroupA
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock\GroupB
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock\Plugins

Policy notes

Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified. If you enable this policy setting, the user will have to use one factor from each list to successfully unlock. If you disable or do not configure this policy setting, users can continue to unlock with existing unlock options. For more information see: https://go.microsoft.com/fwlink/?linkid=849684

Related policies

Allow enumeration of emulated smart card for all usersConfigure dynamic lock factorsEnable ESS with Supported PeripheralsTurn off smart card emulationUse a hardware security deviceUse biometricsUse certificate for on-premises authentication