PassportForWork 云解决方案提供商PassportForWork CSP

PassportForWork 配置服务提供程序用于预配 Windows Hello 企业 (以前是 Microsoft Passport for Work) 。The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). 它允许你使用 Active Directory 或 Azure Active Directory 帐户登录到 Windows,并替换密码、智能卡和虚拟智能卡。It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.

重要

从 Windows 10 版本 1607 开始,所有设备仅具有一个与 Windows Hello 企业版关联的 PIN。Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. 这意味着设备上的任何 PIN 将遵循 PassportForWork CSP 中指定的策略。This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. 指定值的优先级高于通过 Exchange ActiveSync (EAS) 或 DeviceLock CSP 设置的任何复杂规则。The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.

用户配置图User configuration diagram

下图以树格式显示 PassportForWork 配置服务提供程序。The following diagram shows the PassportForWork configuration service provider in tree format.

passportforwork 云解决方案提供商

设备配置图Device configuration diagram

下图以树格式显示 PassportForWork 配置服务提供程序。The following diagram shows the PassportForWork configuration service provider in tree format.

passportforwork 图表

PassportForWorkPassportForWork
PassportForWork 配置服务提供程序的根节点。Root node for PassportForWork configuration service provider.

TenantIdTenantId
GUID (全局唯一标识符) ,不带大括号 ( { , } ) ,用作 Windows Hello 企业预配和管理的一部分。A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. 若要获取 GUID,请使用 PowerShell cmdlet Get-AzureAccountTo get a GUID, use the PowerShell cmdlet Get-AzureAccount. 有关详细信息,请参阅 Get Windows Azure Active Directory Tenant ID in Windows PowerShellFor more information see Get Windows Azure Active Directory Tenant ID in Windows PowerShell.

*TenantId*/Policies*TenantId*/Policies
用于定义 Windows Hello 企业应用策略设置的节点。Node for defining the Windows Hello for Business policy settings.

*TenantId*/Policies/UsePassportForWork*TenantId*/Policies/UsePassportForWork
将 Windows Hello 企业版本作为登录 Windows 的方法的布尔值。Boolean value that sets Windows Hello for Business as a method for signing into Windows.

默认值为 true。Default value is true. 如果此策略设置为 false,则用户无法预配 Windows Hello 企业版,除非在需要预配的已加入 Azure Active Directory 的移动电话上。If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/RequireSecurityDevice*TenantId*/Policies/RequireSecurityDevice
需要受信任平台模块的布尔值 (Windows Hello 企业) TPM 模块。Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM 提供比软件更多的安全优势,以便存储在它的数据不能用于其他设备。TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices.

默认值为 false。Default value is false. 如果设置此策略为 true,则只有具有可用 TPM 的设备才能预配 Windows Hello 企业版本。If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. 如果此策略设置为 false,则所有设备都可以使用软件预配 Windows Hello 企业应用,即使没有可用 TPM。If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. 如果未配置此设置,所有设备都可以在 TPM 不起作用或不可用时使用软件预配 Windows Hello 企业版本。If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/ExcludeSecurityDevices (仅适用于 ./Device/Vendor/MSFT) *TenantId*/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1703。Added in Windows 10, version 1703. 已排除安全设备的根节点。Root node for excluded security devices. 在 Windows 全息版和 Windows Holographic for Business 上不受支持。Not supported on Windows Holographic and Windows Holographic for Business.

*TenantId*/Policies/ExcludeSecurityDevices/TPM12 (仅适用于 ./Device/Vendor/MSFT) *TenantId*/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1703。Added in Windows 10, version 1703. 某些受信任的平台模块 (TPM) 只符合受信任的计算组 (TCG) 定义的 TPM 规范的 1.2 版。Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).

默认值为 false。Default value is false. 如果启用此策略设置,将不允许 TPM 修订版 1.2 模块与 Windows Hello 企业版一同使用。If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.

如果禁用或不配置此策略设置,则允许将 TPM 修订版 1.2 模块与 Windows Hello 企业版一同使用。If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/EnablePinRecovery*TenantId*/Policies/EnablePinRecovery
已添加到 Windows 10 版本 1703。Added in Windows 10, version 1703. 允许用户使用 Windows Hello 企业 PIN 恢复服务更改其 PIN 的布尔值。Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service. 此云服务对存储在客户端本地的恢复密码进行加密,并且只能由云服务解密。This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service.

默认值为 false。Default value is false. 如果启用此策略设置,PIN 恢复密码将存储在设备上,并且用户可以根据需要更改其 PIN。If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.

如果禁用或不配置此策略设置,将不会创建或存储 PIN 恢复密码。If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. 如果忘记了用户的 PIN,获取新 PIN 的唯一方法就是删除现有 PIN 并创建一个新 PIN,这将要求用户重新注册旧 PIN 提供的访问权限的任何服务。If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/UseCertificateForOnPremAuth (仅适用于 ./Device/Vendor/MSFT) *TenantId*/Policies/UseCertificateForOnPremAuth (only for ./Device/Vendor/MSFT)
使 Windows Hello 企业版本能够使用证书对本地资源进行身份验证的布尔值。Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.

如果启用此策略设置,Windows Hello 企业版将等待设备从移动设备管理服务器收到证书有效负载,然后再预配 PIN。If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.

如果禁用或不配置此策略设置,将在用户登录时预配 PIN,而无需等待证书有效负载。If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/PINComplexity*TenantId*/Policies/PINComplexity
用于定义 PIN 设置的节点。Node for defining PIN settings.

*TenantId*/Policies/PINComplexity/MinimumPINLength*TenantId*/Policies/PINComplexity/MinimumPINLength
用于设置 PIN 所需的最少字符数的整数值。Integer value that sets the minimum number of characters required for the PIN. 默认值为 4。Default value is 4. 可以为此策略设置配置的最低数字为 4。The lowest number you can configure for this policy setting is 4. 可以配置的最大数字必须小于"最大 PIN 长度"策略设置中配置的数量或数字 127,以最低者为准。The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.

如果配置此策略设置,则 PIN 长度必须大于或等于此数字。If you configure this policy setting, the PIN length must be greater than or equal to this number. 如果禁用或不配置此策略设置,则 PIN 长度必须大于或等于 4。If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4.

备注

如果不满足上面为最小 PIN 长度指定的条件,则默认值将同时用于最大和最小 PIN 长度。If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.

值类型为 int。支持的操作包括添加、获取、删除和替换。Value type is int. Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/PINComplexity/MaximumPINLength*TenantId*/Policies/PINComplexity/MaximumPINLength
用于设置 PIN 允许的最大字符数的整数值。Integer value that sets the maximum number of characters allowed for the PIN. 默认值为 127。Default value is 127. 可以为此策略设置配置的最大数量为 127。The largest number you can configure for this policy setting is 127. 可以配置的最小号码必须大于"最小 PIN 长度"策略设置中配置的数量或数字 4,以较大的为准。The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.

如果配置此策略设置,则 PIN 长度必须小于或等于此数字。If you configure this policy setting, the PIN length must be less than or equal to this number. 如果禁用或不配置此策略设置,则 PIN 长度必须小于或等于 127。If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127.

备注

如果上述为最大 PIN 长度指定的条件不满足,则默认值将同时用于最大和最小 PIN 长度。If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/PINComplexity/UppercaseLetters*TenantId*/Policies/PINComplexity/UppercaseLetters
用于配置 Windows Hello 企业 PIN 中大写字母的使用的整数值。Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN.

有效值:Valid values:

  • 0 - 允许在 PIN 中使用大写字母。0 - Allows the use of uppercase letters in PIN.
  • 1 - 要求在 PIN 中至少使用一个小写字母。1 - Requires the use of at least one uppercase letters in PIN.
  • 2 - 不允许在 PIN 中使用大写字母。2 - Does not allow the use of uppercase letters in PIN.

默认值为 2。Default value is 2. 默认 PIN 复杂性行为是数字是必需的,并且不允许所有其他字符集。Default PIN complexity behavior is that digits are required and all other character sets are not allowed. 如果允许所有字符集,但不显式要求任何字符集,则默认 PIN 复杂性行为将适用。If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/PINComplexity/LowercaseLetters*TenantId*/Policies/PINComplexity/LowercaseLetters
配置 Windows Hello 企业 PIN 中小写字母的使用的整数值。Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN.

有效值:Valid values:

  • 0 - 允许在 PIN 中使用小写字母。0 - Allows the use of lowercase letters in PIN.
  • 1 - 要求在 PIN 中至少使用一个小写字母。1 - Requires the use of at least one lowercase letters in PIN.
  • 2 - 不允许在 PIN 中使用小写字母。2 - Does not allow the use of lowercase letters in PIN.

默认值为 2。Default value is 2. 默认 PIN 复杂性行为是数字是必需的,并且不允许所有其他字符集。Default PIN complexity behavior is that digits are required and all other character sets are not allowed. 如果允许所有字符集,但不显式要求任何字符集,则默认 PIN 复杂性行为将适用。If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/PINComplexity/SpecialCharacters*TenantId*/Policies/PINComplexity/SpecialCharacters
配置 Windows Hello 企业 PIN 中特殊字符的使用的整数值。Integer value that configures the use of special characters in the Windows Hello for Business PIN. Windows Hello 企业 PIN 手势的有效特殊字符包括:!Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - ." # $ % & ' ( ) * + , - . / : ; < = > ?/ : ; < = > ? @ [ \ ] ^ _ ` { | } ~ .@ [ \ ] ^ _ ` { | } ~ .

有效值:Valid values:

  • 0 - 允许在 PIN 中使用特殊字符。0 - Allows the use of special characters in PIN.
  • 1 - 要求在 PIN 中至少使用一个特殊字符。1 - Requires the use of at least one special character in PIN.
  • 2 - 不允许在 PIN 中使用特殊字符。2 - Does not allow the use of special characters in PIN.

默认值为 2。Default value is 2. 默认 PIN 复杂性行为是数字是必需的,并且不允许所有其他字符集。Default PIN complexity behavior is that digits are required and all other character sets are not allowed. 如果允许所有字符集,但不显式要求任何字符集,则默认 PIN 复杂性行为将适用。If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/PINComplexity/Digits*TenantId*/Policies/PINComplexity/Digits
配置 Windows Hello 企业 PIN 中的数字使用的整数值。Integer value that configures the use of digits in the Windows Hello for Business PIN.

有效值:Valid values:

  • 0 - 允许在 PIN 中使用数字。0 - Allows the use of digits in PIN.
  • 1 - 要求在 PIN 中至少使用一个数字。1 - Requires the use of at least one digit in PIN.
  • 2 - 不允许在 PIN 中使用数字。2 - Does not allow the use of digits in PIN.

默认值为 1。Default value is 1. 默认 PIN 复杂性行为是数字是必需的,并且不允许所有其他字符集。Default PIN complexity behavior is that digits are required and all other character sets are not allowed. 如果允许所有字符集,但不显式要求任何字符集,则默认 PIN 复杂性行为将适用。If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/PINComplexity/History*TenantId*/Policies/PINComplexity/History
指定可关联到用户帐户但不可重复使用的以前 PIN 的数量的整数值。Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. 你可以为此策略设置配置的最大数为 50。The largest number you can configure for this policy setting is 50. 你可以为此策略设置配置的最小数为 0。The lowest number you can configure for this policy setting is 0. 如果此策略设置为 0,则不需要存储以前的 PIN。If this policy is set to 0, then storage of previous PINs is not required. 此节点已添加到 Windows 10 版本 1511 中。This node was added in Windows 10, version 1511.

用户的当前 PIN 包含在与用户帐户关联的 PIN 集合中。The current PIN of the user is included in the set of PINs associated with the user account. 进行 PIN 重置不会保留 PIN 历史记录。PIN history is not preserved through a PIN reset.

默认值为 0。Default value is 0.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/PINComplexity/Expiration*TenantId*/Policies/PINComplexity/Expiration
整数值指定在系统需要用户更改 PIN 之前可以使用它的时间段(以天为单位)。Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. 你可以为此策略设置配置的最大数为 730。The largest number you can configure for this policy setting is 730. 你可以为此策略设置配置的最小数为 0。The lowest number you can configure for this policy setting is 0. 如果此策略设置为 0,则用户的 PIN 将永远不会到期。If this policy is set to 0, then the user’s PIN will never expire. 此节点已添加到 Windows 10 版本 1511 中。This node was added in Windows 10, version 1511.

默认值为 0。Default is 0.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

*TenantId*/Policies/Remote (仅适用于 ./Device/Vendor/MSFT) *TenantId*/Policies/Remote (only for ./Device/Vendor/MSFT)
用于定义远程 Windows Hello 企业策略的内部节点。Interior node for defining remote Windows Hello for Business policies. 此节点已添加到 Windows 10 版本 1511 中。This node was added in Windows 10, version 1511. 在 Windows 全息版和 Windows Holographic for Business 上不受支持。Not supported on Windows Holographic and Windows Holographic for Business.

*TenantId*/Policies/Remote/UseRemotePassport (仅适用于 ./Device/Vendor/MSFT) *TenantId*/Policies/Remote/UseRemotePassport (only for ./Device/Vendor/MSFT)
用于启用或禁用远程 Windows Hello 企业更新的布尔值。Boolean value used to enable or disable the use of remote Windows Hello for Business. 远程 Windows Hello 企业版提供可移植的已注册设备用作配套设备进行桌面身份验证的能力。Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. 远程 Windows Hello 企业版要求桌面已加入 Azure AD,并且配套设备具有 Windows Hello 企业版 PIN。Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. 此节点已添加到 Windows 10 版本 1511 中。This node was added in Windows 10, version 1511.

默认值为 false。Default value is false. 如果设置此策略为 true,将启用远程 Windows Hello 企业版,并且注册的便携式设备可以用作配套设备进行桌面身份验证。If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. 如果此策略设置为 false,远程 Windows Hello 企业应用将处于禁用状态。If you set this policy to false, Remote Windows Hello for Business will be disabled.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

在 Windows 10 版本 1903 或 2019 年 5 月更新版本 1903 之前的 Windows 全息版 (Windows 全息版) 。Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).

*TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates (仅适用于 ./Device/Vendor/MSFT) *TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates (only for ./Device/Vendor/MSFT)
在 Windows 10 版本 1809 中添加。Added in Windows 10, version 1809. 如果启用此策略设置,应用程序将使用 Windows Hello 企业证书作为智能卡证书。If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. 当要求用户授权使用证书的私钥时,生物识别因素不可用。Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. 此策略设置旨在允许与完全依赖于智能卡证书的应用程序兼容。This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.

如果禁用或不配置此策略设置,应用程序不会将 Windows Hello 企业证书用作智能卡证书,并且当要求用户授权使用该证书的私钥时,会提供生物识别因素。If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.

Windows 要求用户在更改此设置后锁定和解锁其会话(如果用户当前已登录)。Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.

值类型为 bool。Value type is bool. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

UseBiometricsUseBiometrics
此节点已弃用。This node is deprecated. 改为使用生物识别/UseBiometrics 节点。Use Biometrics/UseBiometrics node instead.

生物识别 (./Device/Vendor/MSFT 应用) Biometrics (only for ./Device/Vendor/MSFT)
用于定义生物识别设置的节点。Node for defining biometric settings. 此节点已添加到 Windows 10 版本 1511 中。This node was added in Windows 10, version 1511. 在 Windows 全息版和 Windows Holographic for Business 上不受支持。Not supported on Windows Holographic and Windows Holographic for Business.

生物识别/UseBiometrics (仅适用于 ./Device/Vendor/MSFT) Biometrics/UseBiometrics (only for ./Device/Vendor/MSFT)
用于启用或禁用生物识别手势(如人脸和指纹)作为 Windows Hello 企业应用 PIN 手势的替代项的布尔值。Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. 如果用户将生物识别手势配置为在发生故障时使用,他们仍必须配置 PIN。Users must still configure a PIN if they configure biometric gestures to use in case of failures. 此节点已添加到 Windows 10 版本 1511 中。This node was added in Windows 10, version 1511.

默认值为 true,允许生物识别手势与 Windows Hello 企业版本一同使用。Default value is true, enabling the biometric gestures for use with Windows Hello for Business. 如果此策略设置为 false,生物识别手势将禁用,以用于 Windows Hello 企业版本。If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

在 Windows 10 版本 1903 或 2019 年 5 月更新版本 1903 之前的 Windows 全息版 (Windows 全息版) 。Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).

生物识别/人脸特征UseEnhancedAntiSpoofing (./Device/Vendor/MSFT) Biometrics/FacialFeaturesUseEnhancedAntiSpoofing (only for ./Device/Vendor/MSFT)
用于启用或禁用增强的反欺骗的布尔值,用于在 Windows Hello 人脸身份验证上识别面部功能。Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. 此节点已添加到 Windows 10 版本 1511 中。This node was added in Windows 10, version 1511.

默认值为 false。Default value is false. 如果此策略设置为 false 或不配置此设置,Windows 不需要增强的 Windows Hello 人脸身份验证反欺骗功能。If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.

如果设置此策略为 true,Windows 将要求托管设备上的所有用户使用增强的反欺骗进行 Windows Hello 人脸身份验证。If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. 在不支持增强的反欺骗的设备上禁用 Windows Hello 人脸身份验证。Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.

请注意,非托管设备上不需要增强的 Windows Hello 人脸身份验证反欺骗功能。Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

在 Windows 10 版本 1903 或 2019 年 5 月更新版本 1903 之前的 Windows 全息版 (Windows 全息版) 。Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).

DeviceUnlock (./Device/Vendor/MSFT) DeviceUnlock (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 内部节点。Interior node.

DeviceUnlock/GroupA (./Device/Vendor/MSFT) DeviceUnlock/GroupA (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 包含 GUID 的凭据提供程序列表 (逗号) 是身份验证的第一步。Contains a list of credential providers by GUID (comma separated) that are the first step of authentication.

值类型为字符串。Value type is string. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

DeviceUnlock/GroupB (./Device/Vendor/MSFT) DeviceUnlock/GroupB (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 包含 GUID 的凭据提供程序列表 (逗号) 是身份验证的第二步。Contains a list of credential providers by GUID (comma separated) that are the second step of authentication.

值类型为字符串。Value type is string. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

DeviceUnlock/Plugins (./Device/Vendor/MSFT) DeviceUnlock/Plugins (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 插件列表 (逗号) 被动提供程序监视以检测用户状态。List of plugins (comma separated) that the passive provider monitors to detect user presence.

值类型为字符串。Value type is string. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

DynamicLock (./Device/Vendor/MSFT) DynamicLock (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 内部节点。Interior node.

DynamicLock/DynamicLock (仅适用于 ./Device/Vendor/MSFT) DynamicLock/DynamicLock (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 启用动态锁定。Enables the dynamic lock.

值类型为 bool。Value type is bool. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

DynamicLock/Plugins (./Device/Vendor/MSFT) DynamicLock/Plugins (only for ./Device/Vendor/MSFT)
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 插件列表 (逗号) 被动提供程序监视以检测用户离开状态。List of plugins (comma separated) that the passive provider monitors to detect user absence.

值类型为字符串。Value type is string. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

SecurityKey (./Device/Vendor/MSFT) SecurityKey (only for ./Device/Vendor/MSFT)
在 Windows 10 版本 1903 中添加。Added in Windows 10, version 1903. 内部节点。Interior node.

作用域是永久性的。Scope is permanent. 支持的操作为 Get。Supported operation is Get.

SecurityKey/UseSecurityKeyForSignin (./Device/Vendor/MSFT) SecurityKey/UseSecurityKeyForSignin (only for ./Device/Vendor/MSFT)
在 Windows 10 版本 1903 中添加。Added in Windows 10, version 1903. 使用户能够使用与 Microsoft 实现兼容的 FIDO2 安全密钥登录其设备。Enables users to sign-in to their device with a FIDO2 security key that is compatible with Microsoft’s implementation.

范围是动态的。Scope is dynamic. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

值类型为整数。Value type is integer.

有效值:Valid values:

  • 0 (默认) - 已禁用。0 (default) - disabled.
  • 1 - 启用。1 - enabled.

示例Examples

下面是设置 Windows Hello 企业版本和 PIN 策略的示例。Here's an example for setting Windows Hello for Business and setting the PIN policies. 它还启用生物识别和 TPM 的使用。It also turns on the use of biometrics and TPM.

<SyncML xmlns="SYNCML:SYNCML1.2">
          <SyncBody>
            <Add>
              <CmdID>2</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F
                  </LocURI>
                </Target>
              </Item>
            </Add>
            <Add>
              <CmdID>3</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/UsePassportForWork
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">bool</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>true</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>4</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/RequireSecurityDevice
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">bool</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>true</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>5</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/MinimumPINLength
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>8</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>6</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/MaximumPINLength
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>16</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>7</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/UppercaseLetters
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>0</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>8</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/LowercaseLetters
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>1</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>9</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/SpecialCharacters
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>2</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>10</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/Digits
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>1</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>11</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/History
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>20</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>12</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/Expiration
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">int</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>70</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>13</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/Remote/UseRemotePassport
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">bool</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>true</Data>
              </Item>
            </Add>
            <Add>
              <CmdID>14</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/Biometrics/UseBiometrics
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">bool</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>true</Data>
              </Item>
            </Add>
    <Add>
              <CmdID>15</CmdID>
              <Item>
                <Target>
                  <LocURI>
                    ./Vendor/MSFT/PassportForWork/Biometrics/FacialFeatureUseEnhancedAntiSpoofing
                  </LocURI>
                </Target>
                <Meta>
                  <Format xmlns="syncml:metinf">bool</Format>
                  <Type>text/plain</Type>
                </Meta>
                <Data>true</Data>
              </Item>
            </Add>
            <Final/> 
          </SyncBody>
        </SyncML>