Windows Hello for Business
The Windows Hello for Business settings allow you to use public key or certificate-based authentication beyond passwords. This setting configures the PIN policy and enforces the use of a PIN to unlock a Windows device.
Policy setting | Description | Supported devices |
---|---|---|
Configure Windows Hello for Business | Choose whether to enforce the use of a PIN to unlock a Windows 10+ device. The device must be
restarted for changes to the Windows Hello for Business policy to take effect. Note: The Windows
Hello for Business policy overrides the Passcode policy for Windows Phones.
|
|
Passport for work settings | ||
Configure PIN policy | If this setting is enabled, the policy restricts devices to use a simple PIN to unlock the device and configure the PIN settings. |
|
Minimum PIN length (4-127 characters) | Specifies the minimum password length in the range of 4 - 127 characters. The maximum PIN length value that is supported for minimum PIN length is 127. |
|
Maximum PIN length (4-127 characters) | Specifies the maximum password length in the range of 4 - 127 characters. The minimum PIN length value that is supported for maximum PIN length is 4. |
|
Digits | Choose whether to allow any digits, not allow any digits, or require at least one digit in the PIN. |
|
Upper case characters | Choose whether to allow any uppercase characters, not allow any uppercase characters, or require at least one uppercase character in the PIN. |
|
Lower case characters | Choose whether to allow any lowercase characters, not allow any lowercase characters, or require at least one lowercase character in the PIN. |
|
Special characters | Choose whether to allow any special characters, not allow any special characters, or require
at least one special character in the PIN. Valid special characters:
!"#$%&'()*+;-./:;<=>?@[\]^_`{|}~ |
|
Maximum PIN age (1-730 days, or blank) | Specifies when the PIN expires and must be reset. Supported values are 1 - 730 days or leave the field blank to never allow the PIN to expire. |
|
Number of unique PINs required before reuse is allowed (1-50 or blank) | Specifies the number of times that unique PINs are used before those PINs are reused. Supported values are 1 - 50 or leave the field blank to never allow the user to reuse a previous PIN. |
|
Allow use of biometrics (facial recognition or fingerprint) | Choose whether to allow biometrics offered by Microsoft, such as facial recognition or
fingerprint as the PIN, to unlock the device. Choose whether to enforce anti-spoofing for facial
recognition.
|
Windows 10+ Professional, Education, Enterprise |
Enable PIN Recovery | If this setting is enabled, users can reset a forgotton PIN for a device using the Microsoft PIN Reset service. For more information, see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset. | Windows 10+ Professional, Education, Enterprise |
Allow remote companion device for desktop authentication | Choose whether to allow remote companion devices for desktop authentication. If this setting is enabled, you can use portable registered devices as a companion device for desktop authentication. | Windows 10+ Professional, Education, Enterprise |
Require TPM | If this setting is enabled, only devices with a usable trusted platform module (TPM) can provision Windows Hello for Business. | Windows 10+ Professional, Education, Enterprise |