-- Windows Hello for BusinessConfiguration for Windows Hello for BusinessWindows Hello for BusinessPIN ComplexityUse Windows Hello for BusinessUse certificate for on-premises authenticationWindows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
If you enable this policy, the device provisions Windows Hello for Business using keys or certificates for all users.
If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
If you do not configure this policy setting, users can provision Windows Hello for Business as a convenience credential that encrypts their domain password.
Select "Do not start Windows Hello provisioning after sign-in" when you use a third-party solution to provision Windows Hello for Business.
If you select "Do not start Windows Hello provisioning after sign-in", Windows Hello for Business does not automatically start provisioning after the user has signed in.
If you do not select "Do not start Windows Hello provisioning after sign-in", Windows Hello for Business automatically starts provisioning after the user has signed in.
Use a hardware security deviceA Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it cannot be used on other devices.
If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude security devices, which prevents Windows Hello for Business provisioning from using those devices.
If you disable or do not configure this policy setting, the TPM is still preferred, but all devices may provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
Minimum PIN lengthMinimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
If you configure this policy setting, the PIN length must be greater than or equal to this number.
If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4.
NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
Maximum PIN lengthMaximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
If you configure this policy setting, the PIN length must be less than or equal to this number.
If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127.
NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
Require uppercase lettersUse this policy setting to configure the use of uppercase letters in the PIN.
If you enable this policy setting, Windows requires users to include at least one uppercase letter in their PIN.
If you disable or do not configure this policy setting, Windows does not allow users to use uppercase letters in their PIN.
Require lowercase lettersUse this policy setting to configure the use of lowercase letters in the PIN.
If you enable this policy setting, Windows requires users to include at least one lowercase letter in their PIN.
If you disable or do not configure this policy setting, Windows does not allow users to use lowercase letters in their PIN.
Require special characters ? @ [ \ ] ^ _ ` { | } ~ .
If you enable this policy setting, Windows requires users to include at least one special character in their PIN.
If you disable or do not configure this policy setting, Windows does not allow users to use special characters in their PIN.]]>
Require digitsUse this policy setting to configure the use of digits in the PIN.
If you enable or do not configure this policy setting, Windows requires users to include at least one digit in their PIN.
If you disable this policy setting, Windows does not allow users to use digits in their PIN.
HistoryThis setting specifies the number of past PINs that can be associated to a user account that can’t be reused. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. PIN history is not preserved through PIN reset.
The value must be between 0 to 50 PINs. If this policy is set to 0, then storage of previous PINs is not required.
Default: 0.
ExpirationThis setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0.
Default: 0.
Use biometricsWindows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However users must still configure a PIN to use in case of failures.
If you enable or do not configure this policy setting, Windows Hello for Business allows the use biometric gestures.
If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
NOTE: Disabling this policy prevents the user of biometric gestures on the device for all account types.
Use PIN RecoveryPIN recovery enables a user to change a forgotten PIN using the Windows Hello for Business PIN recovery service, without losing any associated credentials or certificates, including any keys associated with the user's personal accounts on the device. To achieve this, the Azure-based PIN recovery service encrypts a recovery secret, which is stored on the device, and requires both the PIN recovery service and the device to decrypt. PIN recovery requires the user to perform multi-factor authentication to Azure Active Directory.
If you enable this policy setting, Windows Hello for Business uses the PIN recovery service.
If you disable or do not configure this policy setting, Windows does not create or store the PIN recovery secret. If the user forgets their PIN, they must delete their existing PIN and create a new one, and they will have to to re-register with any services to which the old PIN provided access.
NOTE: This policy is only applicable to devices which are registered with Azure Active Directory.
Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authentication.
If you enable this policy setting, Windows Hello for Business enrolls a sign-in certificate that is used for on-premises authentication.
If you disable or do not configure this policy setting, Windows Hello for Business enrolls a key that is used for on-premises authentication.
NOTE: Disabling or not configuring this policy setting and enabling the "Use Windows Hello for Business" policy setting requires the environment to have one or more Windows Server 2016 domain controllers to prevent Windows Hello for Business authentication from failing.
Configure device unlock factorsConfigure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified.
If you enable this policy setting, the user will have to use one factor from each list to successfully unlock.
If you disable or do not configure this policy setting, users can continue to unlock with existing unlock options.
For more information see: https://go.microsoft.com/fwlink/?linkid=849684
Configure dynamic lock factorsConfigure a comma separated list of signal rules in the form of xml for each signal type.
If you enable this policy setting, these signal rules will be evaluated to detect user absence and automatically lock the device.
If you disable or do not configure this policy setting, users can continue to lock with existing locking options.
For more information see: https://go.microsoft.com/fwlink/?linkid=849684
Turn off smart card emulationWindows Hello for Business automatically provides smart card emulation for compatibility with smart card enabled applications.
If you enable this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials that are not compatible with smart card applications.
If you disable or do not configure this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials compatible with smart card applications.
NOTE: This policy affects Windows Hello for Business credentials at the time of creation. Credentials created before the application of this policy continue to provide smart card emulation. To change an existing credential, enable this policy setting and select "I forgot my PIN" from Settings.
Allow enumeration of emulated smart card for all usersWindows prevents users on the same computer from enumerating provisioned Windows Hello for Business credentials for other users.
If you enable this policy setting, Windows allows all users of the computer to enumerate all Windows Hello for Business credentials, but still require each user to provide their own factors for authentication.
If you disable or do not configure this policy setting, Windows does not allow the enumeration of provisioned Windows Hello for Business credentials for other users on the same device.
This policy setting is designed for a single user who has enrolled privileged and non-privileged on a single device. The user owns both credentials, which enables them to sign-in using non-privileged credentials, but can performed elevated tasks without signing-out.
This policy setting is incompatible with Windows Hello for Business credentials provisioned when the "Turn off smart card emulation" is enabled.
Windows requires a reboot after you apply this setting to a computer.
Use Windows Hello for Business certificates as smart card certificatesIf you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
This policy setting is incompatible with Windows Hello for Business credentials provisioned when the "Turn off smart card emulation" is enabled.
Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
Minimum PIN lengthMaximum PIN lengthUppercase letters:Lowercase letters:Special characters:digits:PIN HistoryPIN ExpirationDo not use the following security devices:TPM 1.2Do not start Windows Hello provisioning after sign-in{D6886603-9D2F-4EB2-B667-1971041FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F},{BEC09223-B018-416D-A0AC-523971B639F5}{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B} ]]> ]]> --