Windows Hello for Business

The Windows Hello for Business settings allow you to use public key or certificate-based authentication beyond passwords. This setting configures the PIN policy and enforces the use of a PIN to unlock a Windows device.

Table 1. Windows Hello for Business settings
Policy setting Description Supported devices
Configure Windows Hello for Business Choose whether to enforce the use of a PIN to unlock a Windows 10+ device. The device must be restarted for changes to the Windows Hello for Business policy to take effect.
Note: The Windows Hello for Business policy overrides the Passcode policy for Windows Phones.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Passport for work settings
Configure PIN policy If this setting is enabled, the policy restricts devices to use a simple PIN to unlock the device and configure the PIN settings.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Minimum PIN length (4-127 characters) Specifies the minimum password length in the range of 4 - 127 characters. The maximum PIN length value that is supported for minimum PIN length is 127.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Maximum PIN length (4-127 characters) Specifies the maximum password length in the range of 4 - 127 characters. The minimum PIN length value that is supported for maximum PIN length is 4.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Digits Choose whether to allow any digits, not allow any digits, or require at least one digit in the PIN.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Upper case characters Choose whether to allow any uppercase characters, not allow any uppercase characters, or require at least one uppercase character in the PIN.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Lower case characters Choose whether to allow any lowercase characters, not allow any lowercase characters, or require at least one lowercase character in the PIN.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Special characters Choose whether to allow any special characters, not allow any special characters, or require at least one special character in the PIN. Valid special characters: !"#$%&'()*+;-./:;<=>?@[\]^_`{|}~
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Maximum PIN age (1-730 days, or blank) Specifies when the PIN expires and must be reset. Supported values are 1 - 730 days or leave the field blank to never allow the PIN to expire.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Number of unique PINs required before reuse is allowed (1-50 or blank) Specifies the number of times that unique PINs are used before those PINs are reused. Supported values are 1 - 50 or leave the field blank to never allow the user to reuse a previous PIN.
  • Windows Phone 10+
  • Windows 10+ Professional, Education, Enterprise
  • Windows Holographic
Allow use of biometrics (facial recognition or fingerprint) Choose whether to allow biometrics offered by Microsoft, such as facial recognition or fingerprint as the PIN, to unlock the device. Choose whether to enforce anti-spoofing for facial recognition.
  • Enforce enhanced anti-spoofing for facial recognition: If this setting is enabled, anti-spoofing is enforced for Microsoft's facial recognition technology when used as a biometric. This setting is displayed if you enabled the Allow use of biometrics setting.
Windows 10+ Professional, Education, Enterprise
Enable PIN Recovery If this setting is enabled, users can reset a forgotton PIN for a device using the Microsoft PIN Reset service. For more information, see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset. Windows 10+ Professional, Education, Enterprise
Allow remote companion device for desktop authentication Choose whether to allow remote companion devices for desktop authentication. If this setting is enabled, you can use portable registered devices as a companion device for desktop authentication. Windows 10+ Professional, Education, Enterprise
Require TPM If this setting is enabled, only devices with a usable trusted platform module (TPM) can provision Windows Hello for Business. Windows 10+ Professional, Education, Enterprise