This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 20%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Hi,
I recently find out that Windows Hello for Business on Intune does not have the requirement for digits which allows users to create letter-only PIN. I take a look at the PIN requirements on an enrolled device and the digit requirement displays as "May include digits". For testing, I attempt to create a PIN without digit to confirm and that digit-less PIN is accepted. This issue occurs on Windows Home devices and Windows Pro devices with the OS build 19042.867
The PIN requirements set on Intune Windows Hello for Business:
The desired outcome is end users must include at least 1 digit and 1 lowercase letter in the PIN. Is there any solution I can try for this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Dat Truong Manh , Yes, currently under identity protection template, there's no such setting with digits So we didn't get "TenantId/Policies/PINComplexity/Digits" when deploying via this template. We can try to request this feature in Intune user voice:
https://microsoftintune.uservoice.com/forums/291681-ideas
As a workaround, we can deploy a custom device configuration profile to set Digit requirement for Windows Hello for Business. Here are the steps I have done in my lab.
OMA-URI: ./User/Vendor/MSFT/PassportForWork/<tenant id>/Policies/PINComplexity/Digits
Data type: integer
Value: 1
3.Then I assign the it to the same user group as the one identity protection device configuration profile.
4.After the restart, I find it works: and change PIN is asked.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Dat Truong Manh , How's everything going? I am writing to see if there's anything else we can help. If yes, feel free to let us know.
@Crystal-MSFT , currently this temporary solution is working well for deploying restrictions, but it could be better if this requirement can be configured via Windows Hello for Business interface in the next updates though. It would make the management much easier for admins.
@Dat Truong Manh , Based on my research, I find that require the use of at least one digit in PIN can be defined in PassportForWork CSP. We can try to deploy this via OMA URI with value 1 to see if it is working.
https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Crystal-MSFT Based on the description in the screenshot you provided, the default value 1 means PIN is required to have at least 1 digit. But because the interface of Windows Hello for Business on Intune does not provide that configuration, and cannot be configured at the moment, is not the PIN supposed to require digit by default?