-->
Prohibit PIN authentication and force password authentication? I'm looking to use Intune for the first time for a client. From what I've discovered, it appears that using Intune asks the users to setup a PIN to sign into their Azure AD-joined computer. Active Directory If your laptop/desktop (Windows 8.1 or later) or your Windows Server (2012 and later) is joined to a classic Active Directory, you can use a YubiKey for login using the Smart Card functionality. Learn more about smart card login. The desktop computer must be Azure Active Directory joined, and the companion device must be configured with a Windows Hello for Business PIN. Use security keys for sign-in: When set to Enable, this setting provides the capacity for remotely turning ON/OFF Windows Hello Security Keys for all computers in a customer's organization. The goal is to setup smart card authentication without the need to input a pin or password for some active directory users on our domain (not all of our users). I seem to find contradicting views on whether this is possible or not.
This article provides a resolution to make sure you can configure a PIN when Convenience PIN and Hello for Business policies are enabled in Windows 10.
Original product version: Windows 10 - all editions
Original KB number: 3201940
Symptoms
Users who are running Windows 10 Version 1607 or later version of Windows 10 and who are joined to an Active Directory domain cannot create a convenience PIN. Whereas users who are running Windows 10 Version 1511 or earlier can do so without a problem.
When users navigate to Settings > Accounts > Sign-in options, the option to set a PIN is unavailable (appears dimmed), and therefore it can't be configured.
Additionally, if a user has already configured a convenience PIN in an earlier version of Windows 10 and then upgrades to Windows 10 Version 1607 or later, the PIN works until the user navigates to Settings > Accounts > Sign-in options > I forgot my PIN. In this situation, the option to create a PIN is unavailable (appears dimmed). This issue also does not affect Windows 10 Version 1511 and earlier.
Cause
Windows 10 Version 1607 and later includes new functionality that differentiates Windows Hello for Business from a convenience sign-in PIN. Traktor pro 2 audio setup.
Windows Hello for Business has strong user authentication properties that are frequently and mistakenly assumed to be functioning when the Windows Hello for Business infrastructure is not in place and when a user is using a convenience PIN. This change prevents the creation of a PIN in Windows 10 and later version without Windows Hello for Business.
Additionally, a user cannot create a convenience PIN in Windows 10 Version 1607 and later version when the Use Convenience PIN and Use Windows Hello for Business policies are both enabled unless the device is joined to Azure Active Directory in some way (for example, it is either Azure AD-joined or has the Computer ConfigurationAdministrative TemplatesWindows Componentsdevice registrationRegister domain joined computers as devices policy enabled).
To allow convenience PINs to be created on devices that are not joined to Azure AD, make sure that the following conditions are true:
- The Use Windows Hello for Business policy is not enabled.
- The Turn on convenience PIN sign-in policy is enabled.
Resolution
To use a convenience PIN in Windows 10 Version 1607 or later, the following Group Policy setting must be configured:
- Policy: Turn on convenience PIN sign-in
- Category: Path Computer ConfigurationAdministrative TemplatesSystemLogon
Note
- The GPO specifies Windows Server 2012, Windows 8, Windows RT, Windows Server 2012 R2, Windows 8.1, and Windows RT 8.1 only. This is incorrect and will be updated at a later date. This policy does apply to Windows 10 and lets the user set a convenience PIN.
- Enabling a PIN in this manner does not provide the same level of security as using a PIN with the Windows Hello for Business infrastructure configured.
PIN complexity: Manage PIN complexity in the standard way by using policies that are found in the following location:
Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Hello for Business PIN Complexity
Do not configure settings other than PIN complexity if you want to use a convenience PIN. Having Windows Hello for Business and Turn on convenience PIN sign-in enabled prevents you from setting a PIN.
More information
When Windows Hello for Business is not in place and a user has a convenience PIN configured, the user is using a password stuffer, which does not have any of the security qualities of Windows Hello for Business. Password stuffers are convenience sign-in PINs and are controlled by the Turn on convenience PIN sign-in Group Policy setting.
Microsoft made this default behavior since Windows 10 Version 1607. The security offered by this default behavior can be decreased at the user's own discretion by enabling a convenience PIN.
For more information, see Windows Hello for Business.
-->Applies to
- Windows 10
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
Important
The Group Policy setting Turn on PIN sign-in does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting Turn on convenience PIN sign-in.
Use PIN Complexity policy settings to manage PINs for Windows Hello for Business.
Group Policy settings for Windows Hello for Business
The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in User configuration and Computer Configuration under Policies > Administrative Templates > Windows Components > Windows Hello for Business.
Note
Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: Computer Configuration > Administrative Templates > System > PIN Complexity.
| Policy | Scope | Options | |
|---|---|---|---|
| Use Windows Hello for Business | Computer or user | Not configured: Device does not provision Windows Hello for Business for any user. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device does not provision Windows Hello for Business for any user. | |
| Use a hardware security device | Computer | Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. | |
| Use certificate for on-premises authentication | Computer or user | Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication. Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication. Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication. | |
| Use PIN recovery | Computer | Added in Windows 10, version 1703 Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see Windows Hello for Business PIN Reset. | |
| Use biometrics | Computer | Not configured: Biometrics can be used as a gesture in place of a PIN. Enabled: Biometrics can be used as a gesture in place of a PIN. Disabled: Only a PIN can be used as a gesture. | |
| PIN Complexity | Require digits | Computer | Not configured: Users must include a digit in their PIN. Enabled: Users must include a digit in their PIN. Disabled: Users cannot use digits in their PIN. |
| Require lowercase letters | Computer | Not configured: Users cannot use lowercase letters in their PIN. Enabled: Users must include at least one lowercase letter in their PIN. Disabled: Users cannot use lowercase letters in their PIN. | |
| Maximum PIN length | Computer | Not configured: PIN length must be less than or equal to 127. Enabled: PIN length must be less than or equal to the number you specify. Disabled: PIN length must be less than or equal to 127. | |
| Minimum PIN length | Computer | Not configured: PIN length must be greater than or equal to 4. Enabled: PIN length must be greater than or equal to the number you specify. Disabled: PIN length must be greater than or equal to 4. | |
| Expiration | Computer | Not configured: PIN does not expire. Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. Disabled: PIN does not expire. | |
| History | Computer | Not configured: Previous PINs are not stored. Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. Disabled: Previous PINs are not stored. | |
| Require special characters | Computer | Not configured: Users cannot include a special character in their PIN. Enabled: Users must include at least one special character in their PIN. Disabled: Users cannot include a special character in their PIN. | |
| Require uppercase letters | Computer | Not configured: Users cannot include an uppercase letter in their PIN. Enabled: Users must include at least one uppercase letter in their PIN. Disabled: Users cannot include an uppercase letter in their PIN. | |
| Phone Sign-in | Use Phone Sign-in | Computer | Not currently supported. |
Audit Active Directory Logins
MDM policy settings for Windows Hello for Business
The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the PassportForWork configuration service provider (CSP).
Important
Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
| Policy | Scope | Default | Options | |
|---|---|---|---|---|
| UsePassportForWork | Device or user | True | True: Windows Hello for Business will be provisioned for all users on the device. False: Users will not be able to provision Windows Hello for Business. Note If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices. | |
| RequireSecurityDevice | Device or user | False | True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. | |
| ExcludeSecurityDevice | TPM12 | Device | False | Added in Windows 10, version 1703 True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. |
| EnablePinRecovery | Device or user | False | Added in Windows 10, version 1703 True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see Windows Hello for Business PIN Reset. | |
| Biometrics | UseBiometrics | Device | False | True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. False: Only a PIN can be used as a gesture for domain sign-in. |
FacialFeaturesUser EnhancedAntiSpoofing | Device | Not configured | Not configured: users can choose whether to turn on enhanced anti-spoofing. True: Enhanced anti-spoofing is required on devices which support it. False: Users cannot turn on enhanced anti-spoofing. | |
| PINComplexity | ||||
| Digits | Device or user | 1 | 0: Digits are allowed. 1: At least one digit is required. 2: Digits are not allowed. | |
| Lowercase letters | Device or user | 2 | 0: Lowercase letters are allowed. 1: At least one lowercase letter is required. 2: Lowercase letters are not allowed. | |
| Special characters | Device or user | 2 | 0: Special characters are allowed. 1: At least one special character is required. 2: Special characters are not allowed. | |
| Uppercase letters | Device or user | 2 | 0: Uppercase letters are allowed. 1: At least one uppercase letter is required. 2: Uppercase letters are not allowed. | |
| Maximum PIN length | Device or user | 127 | Maximum length that can be set is 127. Maximum length cannot be less than minimum setting. | |
| Minimum PIN length | Device or user | 4 | Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting. | |
| Expiration | Device or user | 0 | Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire. | |
| History | Device or user | 0 | Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. | |
| Remote | UseRemotePassport | Device or user | False | Not currently supported. |
Note
In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
Policy conflicts from multiple policy sources
Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source.
Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis.
Note
Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
Examples
Active Directory Enable Pin Login
The following are configured using computer Group Policy:
- Use Windows Hello for Business - Enabled
- User certificate for on-premises authentication - Enabled
- Require digits - Enabled
- Minimum PIN length - 6
Active Directory Logon Log
The following are configured using device MDM Policy:
- UsePassportForWork - Disabled
- UseCertificateForOnPremAuth - Disabled
- MinimumPINLength - 8
- Digits - 1
- LowercaseLetters - 1
- SpecialCharacters - 1
Enforced policy set:
- Use Windows Hello for Business - Enabled
- Use certificate for on-premises authentication - Enabled
- Require digits - Enabled
- Minimum PIN length - 6d
Active Directory Service Account
How to use Windows Hello for Business with Azure Active Directory
Active Directory Pin Login Page
There are three scenarios for using Windows Hello for Business in Azure AD–only organizations:
- Organizations that use the version of Azure AD included with Office 365. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
- Organizations that use the free tier of Azure AD. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
- Organizations that have subscribed to Azure AD Premium have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
If you want to use Windows Hello for Business with certificates, you'll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.