This reference article provides a comprehensive list of policy settings for Windows Hello for Business. The list of settings is sorted alphabetically and organized in four categories:
Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified.
If you enable this policy setting, the user must use one factor from each list to successfully unlock. If you disable or don't configure this policy setting, users can continue to unlock with existing options.
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/DeviceUnlock |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
For more information, see Multi-factor unlock.
Configure a comma separated list of signal rules in the form of xml for each signal type.
- If you enable this policy setting, the signal rules are evaluated to detect user absence and automatically lock the device
- If you disable or don't configure the setting, users can continue to lock with existing options
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Use a hardware security device
A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it can't be used on other devices.
- If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude TPM revision 1.2 modules, which prevents Windows Hello for Business provisioning on those devices
Tip
The TPM 1.2 specification only allows the use of RSA and the SHA-1 hashing algorithm. TPM 1.2 implementations vary in policy settings, which may result in support issues as lockout policies vary. It's recommended to exclude TPM 1.2 devices from Windows Hello for Business provisioning.
-If you disable or don't configure this policy setting, the TPM is still preferred, but all devices can provision Windows Hello for Business using software if the TPM is nonfunctional or unavailable.
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices/TPM12 |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Use certificate for on-premises authentication
Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authentication.
- If you enable this policy setting, Windows Hello for Business enrolls a sign-in certificate that is used for on-premises authentication
- If you disable or don't configure this policy setting, Windows Hello for Business will use a key or a Kerberos ticket (depending on other policy settings) for on-premises authentication
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business
User Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Use cloud trust for on-premises authentication
Use this policy setting to configure Windows Hello for Business to use the cloud Kerberos trust model.
- If you enable this policy setting, Windows Hello for Business uses a Kerberos ticket retrieved from authenticating to Microsoft Entra ID for on-premises authentication
- If you disable or don't configure this policy setting, Windows Hello for Business uses a key or certificate (depending on other policy settings) for on-premises authentication
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Note
Cloud Kerberos trust is incompatible with certificate trust. If the certificate trust policy setting is enabled, it takes precedence over this policy setting.
Use Windows Hello for Business
- If you enable this policy, the device provisions Windows Hello for Business using keys or certificates for all users
- If you disable this policy setting, the device doesn't provision Windows Hello for Business for any user
- If you don't configure this policy setting, users can provision Windows Hello for Business
Select the option Don't start Windows Hello provisioning after sign-in when you use a non-Microsoft solution to provision Windows Hello for Business:
- If you select Don't start Windows Hello provisioning after sign-in, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
- If you don't select Don't start Windows Hello provisioning after sign-in, Windows Hello for Business automatically starts provisioning after the user has signed in
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonProvisioning |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business
User Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Expiration
This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0.
The default value is 0.
History
This setting specifies the number of past PINs that can be associated to a user account that can't be reused. This policy enhances security by ensuring that old PINs are not reused continually. The value must be between 0 to 50 PINs. If this policy is set to 0, then storage of previous PINs is not required.
The default value is 0.
Note
PIN history is not preserved through PIN reset.
Maximum PIN length
Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. If you configure this policy setting, the PIN length must be less than or equal to this number.
If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127.
Note
If the above specified conditions for the maximum PIN length aren't met, default values are used for both the maximum and minimum PIN lengths.
Minimum PIN length
Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
If you configure this policy setting, the PIN length must be greater than or equal to this number.
If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 6.
Note
If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
Require digits
Use this policy setting to configure the use of digits in the PIN:
- If you enable this policy setting, Windows requires the user to include at least one digit in their PIN
- If you disable this policy setting, Windows doesn't allow the user to include digits in their PINs
- If you don't configure this policy setting, Windows allows, but doesn't require, digits in the PIN
Require lowercase letters
Use this policy setting to configure the use of lowercase letters in the PIN:
- If you enable this policy setting, Windows requires the user to include at least one lowercase letter in their PIN
- If you disable this policy setting, Windows doesn't allow the user to include lowercase letters in their PIN
- If you don't configure this policy setting, Windows allows, but doesn't require, lowercase letters in the PIN
Require special characters
Scope: Machine
Use this policy setting to configure the use of special characters in the PIN. Special characters include the following set:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
- If you enable this policy setting, Windows requires the user to include at least one special character in their PIN
- If you disable this policy setting, Windows doesn't allow the user to include special characters in their PIN
- If you don't configure this policy setting, Windows allows, but doesn't require, special characters in the PIN
Require uppercase letters
Use this policy setting to configure the use of uppercase letters in the PIN:
- If you enable this policy setting, Windows requires the user to include at least one uppercase letter in their PIN
- If you disable this policy setting, Windows doesn't allow the user to include uppercase letters in their PIN
- If you don't configure this policy setting, Windows allows, but doesn't require, uppercase letters in the PIN
Use PIN recovery
PIN Recovery enables a user to change a forgotten PIN using the Windows Hello for Business PIN recovery service, without losing any associated credentials or certificates, including any keys associated with the user's personal accounts on the device.
To achieve this, the PIN recovery service encrypts a recovery secret, which is stored on the device, and requires both the PIN recovery service and the device to decrypt.
PIN recovery requires the user to perform multi-factor authentication to Microsoft Entra ID.
- If you enable this policy setting, Windows Hello for Business uses the PIN recovery service
- If you disable or don't configure this policy setting, Windows doesn't create or store the PIN recovery secret. If the user forgets their PIN, they must delete their existing PIN and create a new one, and they must re-register with any services to which the old PIN provided access
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnablePinRecovery
./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnablePinRecovery |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
For more information, see PIN reset.
This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
- If you enable this setting, Windows requires to use enhanced anti-spoofing for face authentication
Important
This disables face authentication on devices that don't support enhanced anti-spoofing.
- If you disable or don't configure this setting, Windows doesn't require enhanced anti-spoofing for face authentication
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Enable ESS with supported peripherals
Enhanced Sign-in Security (ESS) adds a layer of security to biometric data by using specialized hardware and software components, for example Virtualization Based Security (VBS) and Trusted Platform Module 2.0.
With ESS, Windows Hello biometric (face and fingerprint) template data and matching operations are isolated to trusted hardware or specified memory regions, and the rest of the operating system can't access or tamper with them. Since the channel of communication between the sensors and the algorithm is also secured, it's impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.
If you enable this policy, you can configure the following values:
0: ESS is enabled with peripheral or built-in non-ESS sensors. Authentication operations of peripheral Windows Hello capable devices are allowed, subject to current feature limitations. ESS is enabled on devices with a mixture of biometric devices, such as an ESS-capable fingerprint reader and a non-ESS capable camera. Therefore, this setting is not recommended1: ESS is enabled without peripheral or built-in non-ESS sensors. Authentication operations of any peripheral biometric device are blocked and not available for Windows Hello. This setting is recommended for highest security
If you disable or not configure this setting, then non-ESS sensors are blocked on the ESS device.
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/Biometrics/EnableESSwithSupportedPeripherals |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
For more information, see How does Enhanced Sign-in Security protect biometric data.
Use biometrics
Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However users must still configure a PIN to use in case of failures.
- If you enable or don't configure this policy setting, Windows Hello for Business allows the use biometric gestures
- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures
Note
Disabling this policy prevents the user of biometric gestures on the device for all account types.
|
Path |
| CSP |
./Device/Vendor/MSFT/PassportForWork/Biometrics/UseBiometrics |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Allow enumeration of emulated smart card for all users
Windows prevents users on the same device from enumerating provisioned Windows Hello for Business credentials for other users. If you enable this policy setting, Windows allows all users of the device to enumerate all Windows Hello for Business credentials, but still require each user to provide their own factors for authentication. If you disable or don't configure this policy setting, Windows doesn't allow the enumeration of provisioned Windows Hello for Business credentials for other users on the same device.
This policy setting is designed for a single user who enrolls privileged and nonprivileged accounts on a single device. The user owns both credentials, which enable them to sign-in using nonprivileged credentials, but can perform elevated tasks without signing-out. This policy setting is incompatible with Windows Hello for Business credentials provisioned when the Turn off smart card emulation policy setting is enabled.
|
Path |
| CSP |
Not available |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Turn off smart card emulation
Windows Hello for Business automatically provides smart card emulation for compatibility with smart card enabled applications.
- If you enable this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials that are not compatible with smart card applications
- If you disable or don't configure this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials compatible with smart card applications
Important
This policy affects Windows Hello for Business credentials at the time of creation. Credentials created before the application of this policy continue to provide smart card emulation. To change an existing credential, enable this policy setting and select I forgot my PIN from Settings.
|
Path |
| CSP |
Not available |
| GPO |
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business |
Use Windows Hello for Business certificates as smart card certificates
This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key
- If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key
This policy setting is incompatible with Windows Hello for Business credentials provisioned when Turn off smart card emulation is enabled.
Feature settings
PIN settings
Biometric settings
Smart card settings