Configure device unlock factors

Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified.

If you enable this policy setting, the user will have to use one factor from each list to successfully unlock.

If you disable or do not configure this policy setting, users can continue to unlock with existing unlock options.

For more information see: https://go.microsoft.com/fwlink/?linkid=849684

Supported on: At least Windows 10 or Windows 10 RT

First unlock factor credential providers

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock
Value NameGroupA
Value TypeREG_SZ
Default Value{D6886603-9D2F-4EB2-B667-1971041FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F},{BEC09223-B018-416D-A0AC-523971B639F5}
Second unlock factor credential providers

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock
Value NameGroupB
Value TypeREG_SZ
Default Value{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}
Signal rules for device unlock

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock
Value NamePlugins
Value TypeREG_SZ
Default Value

passport.admx

Administrative Templates (Computers)

Administrative Templates (Users)