Policy
Configure device unlock factors
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT
Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified. If you enable this policy setting, the user will have to use one factor from each list to successfully unlock. If you disable or do not configure this policy setting, users can continue to unlock with existing unlock options. For more information see: https://go.microsoft.com/fwlink/?linkid=849684
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | First unlock factor credential providers ID MSPassport_UseDeviceUnlock_GroupA | text | Path SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock Value name GroupA Type REG_SZ | None | |
| Computer | Second unlock factor credential providers ID MSPassport_UseDeviceUnlock_GroupB | text | Path SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock Value name GroupB Type REG_SZ | None | |
| Computer | Signal rules for device unlock ID MSPassport_UseDeviceUnlock_Plugins | text | Path SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock Value name Plugins Type REG_SZ | None |