使用 Windows Hello 企業版Use Windows Hello for Business

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

Microsoft Intune 與 Windows Hello 企業版 (先前稱為 Microsoft Passport for Work) 整合運作,這是使用 Active Directory 或 Azure Active Directory 帳戶取代密碼、智慧卡或虛擬智慧卡的替代登入方法。Microsoft Intune integrates with Windows Hello for Business (formerly Microsoft Passport for Work), an alternative sign-in method that uses Active Directory or an Azure Active Directory account to replace a password, smart card, or a virtual smart card.

Hello 企業版可讓您以「使用者筆勢」登入,而不使用密碼登入。Hello for Business lets you use a user gesture to sign in, instead of a password. 使用者筆勢可能是簡單的 PIN、生物識別驗證 (例如 Windows Hello) 或外部裝置 (例如指紋辨識器)。A user gesture might be a simple PIN, biometric authentication such as Windows Hello, or an external device such as a fingerprint reader.

Intune 以兩種方式與 Hello 企業版整合:Intune integrates with Hello for Business in two ways:

  • 您可以使用 Intune 原則,控制使用者可以和無法用以登入的筆勢。You can use an Intune policy to control which gestures users can and cannot use to sign in.

重要

在年度更新版之前的 Windows 10 電腦和行動裝置版本中,您可以設定兩個不同的 PIN 碼,以用來驗證資源:In Windows 10 desktop and mobile versions prior to the Anniversary Update, you could set two different PINS that could be used to authenticate to resources:

  • 「裝置 PIN」可以用來解除鎖定裝置及連線到雲端資源。The device PIN could be used to unlock the device and connect to cloud resources.
  • 「公司 PIN」是用來在使用者的個人裝置 (BYOD) 上存取 Azure AD 資源。The work PIN was used to access Azure AD resources on user’s personal devices (BYOD).

在年度更新版中,這兩個 PIN 已經合併成一個單一的裝置 PIN 。In the Anniversary Update, these two PINS were merged into one single device PIN. 任何您設定來控制裝置 PIN 的 Intune 設定原則,以及您所設定的 Windows Hello 企業版原則,現在都會設定此一新 PIN 值。Any Intune configuration policies you set to control the device PIN, and additionally, any Windows Hello for Business policies you configured, now both set this new PIN value. 如果您將這兩種原則都設定成可以控制該 PIN,則 Windows Hello 企業版原則將會套用到 Windows 10 電腦和行動裝置。If you have set both policy types to control the PIN, the Windows Hello for Business policy will be applied on both Windows 10 desktop and mobile devices. 若要確保解決原則衝突,且正確套用 PIN 原則,請更新您的 Windows Hello 企業版原則,以符合您設定原則中的設定,並要求使用者在「公司入口網站」App 中同步他們的裝置。To ensure policy conflicts are resolved and that the PIN policy is applied correctly, update your Windows Hello for Business Policy to match the settings in your configuration policy, and ask your users to sync their devices in the Company Portal app.

建立 Windows Hello 企業版原則Create a Windows Hello for Business policy

  1. 在 Azure 入口網站中,選擇 [更多服務] > [監視 + 管理] > [Intune]。In the Azure portal, choose More Services > Monitoring + Management > Intune.

  2. 在 Intune 刀鋒視窗上,選擇 [註冊裝置],然後選擇 [管理] > [Windows Hello 企業版]。On the Intune blade, choose Enroll devices, and then choose Manage > Windows Hello for Business.

  3. 在開啟的刀鋒視窗上,選擇 [預設] 設定。On the blade that opens, choose the Default settings.

  4. 在 [所有使用者] 刀鋒視窗上,按一下 [內容],然後為 Windows Hello 企業版輸入 [名稱] 及選用的 [描述]。On the All Users blade, click Properties and then enter a Name and optional Description for the Windows Hello for Business settings.

  5. 在 [所有使用者] 刀鋒視窗上,按一下 [設定],然後為 [設定 Windows Hello 企業版] 選擇下列項目:On the All Users blade, click Settings and then choose from the following for Configure Windows Hello for Business:

    • DisabledDisabled. 如果您不想要使用 Windows Hello 企業版,請選取此設定。If you don't want to use Windows Hello for Business, select this setting. 螢幕上的所有其他設定也都無法停用。All other settings on the screen are then unavailable.
    • EnabledEnabled. 如果您想要設定 Windows Hello 企業版設定,請選取此設定。Select this setting if you want to configure Windows Hello for Business settings.
    • 未設定Not configured. 如果您不想要使用 Intune 來控制 Windows Hello 企業版設定,請選取此設定。Select this setting if you don't want to use Intune to control Windows Hello for Business settings. 將不會變更 Windows 10 裝置上任何現有的 Windows Hello 企業版設定。Any existing Windows Hello for Business settings on Windows 10 devices will not be changed. 刀鋒視窗上的所有其他設定,都無法使用。All other settings on the blade are unavailable.
  6. 如果在前一步驟選取了 [已啟用],請設定會套用到所有已註冊之 Windows 10 與 Windows 10 行動裝置版裝置所需的設定。If you selected Enabled in the previous step, configure the required settings that will be applied to all enrolled Windows 10 and Windows 10 Mobile devices.

    • 使用信賴平台模組 (TPM)Use a Trusted Platform Module (TPM). TPM 晶片提供額外一層資料安全性。A TPM chip provides an additional layer of data security.
      選擇下列其中一個值:Choose one of the following values:

      • 必要 (預設)。Required (default). 只有能存取 TPM 的裝置可以佈建 Windows Hello 企業版。Only devices with an accessible TPM can provision Windows Hello for Business.
      • 慣用Preferred. 第一次嘗試使用 TPM 的裝置。Devices first attempt to use a TPM. 如果無法使用此值,則可以使用軟體加密。If this is not available, they can use software encryption.
    • 需要 PIN 長度下限/需要 PIN 長度上限Require minimum PIN length/Require maximum PIN length. 設定裝置以使用您指定的最小和最大 PIN 長度,協助確保安全的登入。Configures devices to use the minimum and maximum PIN lengths that you specify to help ensure secure sign-in. 預設的 PIN 長度為 6 個字元,但您可以強制執行最小長度 (4 個字元)。The default PIN length is 6 characters, but you can enforce a minimum length of 4 characters. PIN 長度上限為 127 個字元。The maximum PIN length is 127 characters.

    • PIN 中需要小寫字母/PIN 中需要大寫字母/PIN 中需要特殊字元Require lowercase letters in PIN/Require uppercase letters in PIN/Require special characters in PIN. 您可以要求在 PIN 中使用大寫字母、小寫字母及特殊字元,以強制使用強度更高的 PIN。You can enforce a stronger PIN by requiring the use of uppercase letters, lowercase letters, and special characters in the PIN. 從下列選項進行選擇:Choose from:

      • 允許Allowed. 使用者可在其 PIN 中使用字元類型,但不是強制性。Users can use the character type in their PIN, but it is not mandatory.

      • 必要Required. 使用者必須在其 PIN 中包含至少一個字元類型。Users must include at least one of the character types in their PIN. 比方說,是常見的作法是需要至少一個大寫字母和一個特殊字元。For example, it's common practice to require at least one uppercase letter and one special character.

      • 不允許 (預設)。Not allowed (default). 使用者不得在其 PIN 中使用這些字元 Users must not use these character types in their PIN. (這也是未進行設定時的行為)。(This is also the behavior if the setting is not configured.)
        特殊字元包含:! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~Special characters include: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

    • PIN 到期 (天數)PIN expiration (days). 建議為 PIN 指定到期時間,使用者必須在該時間後變更 PIN。It's a good practice to specify an expiration period for a PIN, after which users must change it. 預設為 41 天。The default is 41 days.

    • 記住 PIN 記錄Remember PIN history. 限制重複使用先前用過的 PIN。Restricts the reuse of previously used PINs. 預設為不能重複使用最後 5 個 PIN。By default, the last 5 PINs cannot be reused.

    • 允許生物識別驗證Allow biometric authentication. 啟用生物識別驗證 (例如臉部辨識或指紋) 以替代 Windows Hello 企業版的 PIN。Enables biometric authentication, such as facial recognition or fingerprint, as an alternative to a PIN for Windows Hello for Business. 使用者仍然必須設定公司 PIN 以免生物識別驗證失敗。Users must still configure a work PIN in case biometric authentication fails. 從下列選項進行選擇:Choose from:

      • Yes. Windows Hello 企業版允許生物識別驗證。Windows Hello for Business allows biometric authentication.
      • No. Windows Hello 企業版防止生物識別驗證 (針對所有帳戶類型)。Windows Hello for Business prevents biometric authentication (for all account types).
    • 使用增強的防詐騙功能 (如其可用)Use enhanced anti-spoofing, when available. 設定是否在支援 Windows Hello 反詐騙功能的裝置上使用該功能 (例如,偵測臉正面相片而非真正的臉孔)。Configures whether the anti-spoofing features of Windows Hello are used on devices that support it (for example, detecting a photograph of a face instead of a real face).
      如果這設為 [是],Windows 即要求所有使用者在支援的情況下,使用臉部特徵防詐騙。If this is set to Yes, Windows requires all users to use anti-spoofing for facial features when that is supported.

    • 使用電話登入Use phone sign-in. 若此選項設為 [是],使用者即可使用遠端 Passport 作為桌上型電腦驗證的可攜式配套裝置。If this option is set to Yes, users can use a remote passport to serve as a portable companion device for desktop computer authentication. 桌上型電腦必須已加入 Azure Active Directory,且配套裝置必須設有 Windows Hello 企業版的 PIN。The desktop computer must be Azure Active Directory joined, and the companion device must be configured with a Windows Hello for Business PIN.

進一步資訊Further information

如需 Microsoft Passport 的詳細資訊,請參閱 Windows 10 文件中的指南For more information about Microsoft Passport, see the guide in the Windows 10 documentation.