使用 Microsoft Intune 控制设备上的 Windows Hello for Business 设置Control Windows Hello for Business settings on devices with Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

Microsoft Intune 与 Windows Hello for Business(以前称为 Microsoft Passport for Work)集成,Windows Hello for Business 是使用 Active Directory 或 Azure Active Directory 帐户取代密码、智能卡或虚拟智能卡进行登录的一种替代方法。Microsoft Intune integrates with Windows Hello for Business (formerly Microsoft Passport for Work), an alternative sign-in method that uses Active Directory or an Azure Active Directory account to replace a password, smart card, or a virtual smart card.

通过 Hello for Business,你可以使用用户手势取代密码进行登录。Hello for Business lets you use a user gesture to sign in, instead of a password. 用户手势可以是简单 PIN、Windows Hello 等生物识别身份验证或指纹读取器等外部设备。A user gesture might be a simple PIN, biometric authentication such as Windows Hello, or an external device such as a fingerprint reader.

Intune 与 Hello for Business 集成的两种方式:Intune integrates with Hello for Business in two ways:

重要

在周年更新前的 Windows 10 桌面版和移动版中,可以设置两种不同的 PIN,用于对资源进行身份验证:In Windows 10 desktop and mobile versions prior to the Anniversary Update, you could set two different PINS that could be used to authenticate to resources:

  • 设备 PIN 用于解锁设备并连接到云资源。The device PIN could be used to unlock the device and connect to cloud resources.
  • 工作 PIN 用于访问用户个人设备 (BYOD) 上的 Azure AD 资源。The work PIN was used to access Azure AD resources on user’s personal devices (BYOD).

在周年更新中,这两个 PIN 合并为一个设备 PIN。In the Anniversary Update, these two PINS were merged into one single device PIN. 设置用于控制设备 PIN 的任何 Intune 配置策略,以及所配置的任何 Windows Hello 企业版策略,现在都会设置这一新的 PIN 值。Any Intune configuration policies you set to control the device PIN, and additionally, any Windows Hello for Business policies you configured, now both set this new PIN value. 如果已设置这两个策略类型以控制 PIN,则 Windows Hello 企业版策略将同时适用于 Windows 10 桌面和移动设备。If you have set both policy types to control the PIN, the Windows Hello for Business policy will be applied on both Windows 10 desktop and mobile devices. 为确保解决策略冲突并正确应用 PIN 策略,请更新 Windows Hello 企业版策略以在配置策略中匹配该设置,并要求用户在公司门户应用中同步他们的设备。To ensure policy conflicts are resolved and that the PIN policy is applied correctly, update your Windows Hello for Business Policy to match the settings in your configuration policy, and ask your users to sync their devices in the Company Portal app.

创建 Windows Hello for Business 策略Create a Windows Hello for Business policy

  1. Microsoft Intune 管理控制台中,依次选择“管理”>“移动设备管理”>“Windows”>“Windows Hello for Business”打开 Windows Hello for Business 页面。In the Microsoft Intune administration console, choose Admin > Mobile Device Management > Windows > Windows Hello for Business to open the Windows Hello for Business page.

    Windows Hello for Business 页面

  2. 选择下列设置之一:Choose one of the following settings:

    • 在已注册设备上禁用 Windows Hello for BusinessDisable Windows Hello for Business on enrolled devices. 如果不想要使用 Windows Hello for Business,请选择此设置。If you don't want to use Windows Hello for Business, select this setting. 屏幕上的所有其他设置将不可用。All other settings on the screen are then unavailable.
    • 在注册设备上启用 Windows Hello for BusinessEnable Windows Hello for Business on enrolled devices. 如果想要配置 Windows Hello for Business 设置,请选择此设置。Select this setting if you want to configure Windows Hello for Business settings.
    • “不配置”。Not configured. 如果不想使用 Intune 来控制 Windows Hello 企业版设置,请选择此设置。Select this setting if you don't want to use Intune to control Windows Hello for Business settings. 不会更改 Windows 10 设备上的任何现有 Windows Hello for Business 设置。Any existing Windows Hello for Business settings on Windows 10 devices will not be changed. 屏幕上的所有其他设置将不可用。All other settings on the screen are unavailable.
  3. 如果选择了“在已注册设备上启用 Windows Hello for Business”,请配置将应用于所有已注册 Windows 10 和 Windows 10 移动版设备的必要设置。If you selected Enable Windows Hello for Business on enrolled devices, configure the required settings that will be applied to all enrolled Windows 10 and Windows 10 Mobile devices.
  4. 完成后,请选择“保存”。When you are finished, choose Save.

设置 Windows Hello for Business 策略Settings for the Windows Hello for Business policy

  • “使用受信任的平台模块 (TPM)”。Use a Trusted Platform Module (TPM). TPM 芯片额外提供了一层数据安全。A TPM chip provides an additional layer of data security.
    选择下列值之一:Choose one of the following values:
    • “必需”(默认)。Required (default). 仅限可访问 TPM 的设备预配 Windows Hello 企业版。Only devices with an accessible TPM can provision Windows Hello for Business.
    • “首选”。Preferred. 首次尝试使用 TPM 的设备。Devices first attempt to use a TPM. 如果不可用,他们可以使用软件加密。If this is not available, they can use software encryption.
  • “要求最小 PIN 长度”/要求最大 PIN 长度”。Require minimum PIN length/Require maximum PIN length. 将设备配置为使用你指定的最小和最大 PIN 长度,以帮助确保安全登录。Configures devices to use the minimum and maximum PIN lengths that you specify to help ensure secure sign-in. 默认 PIN 长度为 6 个字符,但是你可以强制最小长度为 4 个字符。The default PIN length is 6 characters, but you can enforce a minimum length of 4 characters. 最大 PIN 长度为 127 个字符。The maximum PIN length is 127 characters.
  • “要求 PIN 中含有小写字母”/要求 PIN 中含有大写字母”/要求 PIN 中含有特殊字符”。Require lowercase letters in PIN/Require uppercase letters in PIN/Require special characters in PIN. 你可以通过要求在 PIN 中使用大写字母、小写字母和特殊字符,从而强制实施更强的 PIN。You can enforce a stronger PIN by requiring the use of uppercase letters, lowercase letters, and special characters in the PIN. 选择:Choose from:
    • “允许”。Allowed. 用户可以在其 PIN 中使用该字符类型,但不强制使用。Users can use the character type in their PIN, but it is not mandatory.
    • “必需”。Required. 用户在其 PIN 中必须至少包含其中一种字符类型。Users must include at least one of the character types in their PIN. 例如,常见的做法是要求包含至少一个大写字母和一个特殊字符。For example, it's common practice to require at least one uppercase letter and one special character.
    • “不允许”(默认)。Not allowed (default). 用户必须在他们的 PIN 中使用这些字符类型。Users must not use these character types in their PIN. (这也是不配置此设置时的行为。)(This is also the behavior if the setting is not configured.)
      特殊字符包括:! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ ` { | } ~。Special characters include: **! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ ` { | } ~**.
  • “PIN 有效期(天数)”。PIN expiration (days). 比较好的一种做法是指定 PIN 的有效期,在超过此期限后,最终用户必须更改该 PIN。It's a good practice to specify an expiration period for a PIN, after which users must change it. 默认值为 41 天。The default is 41 days.
  • “记住 PIN 历史记录”。Remember PIN history. 限制重复使用以前用过的 PIN。Restricts the reuse of previously used PINs. 默认情况下,不能重复使用最近用过的 5 个 PIN。By default, the last 5 PINs cannot be reused.
  • “允许生物识别身份验证”。Allow biometric authentication. 启用面部识别或指纹等生物识别身份验证作为 Windows Hello 企业版 PIN 的替代方法。Enables biometric authentication, such as facial recognition or fingerprint, as an alternative to a PIN for Windows Hello for Business. 如果生物识别身份验证失败,则用户仍必须配置工作 PIN。Users must still configure a work PIN in case biometric authentication fails. 选择:Choose from:
    • “是”。Yes. Windows Hello 企业版允许进行生物识别身份验证。Windows Hello for Business allows biometric authentication.
    • “否”。No. Windows Hello 企业版阻止生物识别身份验证(适用于所有帐户类型)。Windows Hello for Business prevents biometric authentication (for all account types).
  • “在可用时使用增强的反电子欺骗技术”。Use enhanced anti-spoofing, when available. 配置是否在支持 Windows Hello 反电子欺骗功能的设备上使用该功能(例如,检测面部照片而非真实的面部)。Configures whether the anti-spoofing features of Windows Hello are used on devices that support it (for example, detecting a photograph of a face instead of a real face).
    如果设置为“是”,则 Windows 将在支持反电子欺骗技术时要求所有用户对面部识别功能使用此技术。If this is set to Yes, Windows requires all users to use anti-spoofing for facial features when that is supported.
  • 使用电话登录Use phone sign-in. 如果将此选项设置为“是”,则用户可以使用远程 Passport 充当台式计算机身份验证的便携伴侣设备。If this option is set to Yes, users can use a remote passport to serve as a portable companion device for desktop computer authentication. 台式计算机必须加入 Azure Active Directory,并且伴侣设备必须配置 Windows Hello 企业版 PIN。The desktop computer must be Azure Active Directory joined, and the companion device must be configured with a Windows Hello for Business PIN.

更多信息Further information

有关 Microsoft Passport 的详细信息,请参阅 Windows 10 文档中的指南For more information about Microsoft Passport, see the guide in the Windows 10 documentation.

要提交产品反馈,请访问 Intune Feedback