Policy

Configure device unlock factors

Windows 11 25H2

Back to categoryOpen picker

Policy overview

Key metadata and intent for this policy.

ClassComputer
CategoryWindows Components > Windows Hello for Business
Supported onAt least Windows 10

Supported OS tags: Windows10, Windows10RT

Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified. If you enable this policy setting, the user will have to use one factor from each list to successfully unlock. If you disable or do not configure this policy setting, users can continue to unlock with existing unlock options. For more information see: https://go.microsoft.com/fwlink/?linkid=849684

Internal name
MSPassport_UseDeviceUnlock
Policy ID
bf01bbac959e
Elements
3

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

ElementTypeRegistry mappingConstraints & behavior
First unlock factor credential providers
ID MSPassport_UseDeviceUnlock_GroupA
text
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock\GroupA
Type REG_SZ
None
Second unlock factor credential providers
ID MSPassport_UseDeviceUnlock_GroupB
text
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock\GroupB
Type REG_SZ
None
Signal rules for device unlock
ID MSPassport_UseDeviceUnlock_Plugins
text
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock\Plugins
Type REG_SZ
None

Other policies in this category

Explore related policies at the same level.

View all policies in this category