question

DatTruongManh-1313 avatar image
0 Votes"
DatTruongManh-1313 asked DatTruongManh-1313 commented

Windows Hello for Business on Intune does not have "Digits in PIN" requirement

Hi,
I recently find out that Windows Hello for Business on Intune does not have the requirement for digits which allows users to create letter-only PIN. I take a look at the PIN requirements on an enrolled device and the digit requirement displays as "May include digits". For testing, I attempt to create a PIN without digit to confirm and that digit-less PIN is accepted. This issue occurs on Windows Home devices and Windows Pro devices with the OS build 19042.867
85106-image.png

The PIN requirements set on Intune Windows Hello for Business:
85121-image.png
85037-image.png
85114-image.png

The desired outcome is end users must include at least 1 digit and 1 lowercase letter in the PIN. Is there any solution I can try for this issue?


windows-10-securitymem-intune-device-configurationsmem-intune-enrollment
image.png (13.6 KiB)
image.png (10.4 KiB)
image.png (11.2 KiB)
image.png (11.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered DatTruongManh-1313 commented

@DatTruongManh-1313, Based on my research, I find that require the use of at least one digit in PIN can be defined in PassportForWork CSP. We can try to deploy this via OMA URI with value 1 to see if it is working.
85214-image.png
https://docs.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (27.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Crystal-MSFT Based on the description in the screenshot you provided, the default value 1 means PIN is required to have at least 1 digit. But because the interface of Windows Hello for Business on Intune does not provide that configuration, and cannot be configured at the moment, is not the PIN supposed to require digit by default?

0 Votes 0 ·
Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered DatTruongManh-1313 commented

@DatTruongManh-1313, Yes, currently under identity protection template, there's no such setting with digits So we didn't get "TenantId/Policies/PINComplexity/Digits" when deploying via this template. We can try to request this feature in Intune user voice:
https://microsoftintune.uservoice.com/forums/291681-ideas

As a workaround, we can deploy a custom device configuration profile to set Digit requirement for Windows Hello for Business. Here are the steps I have done in my lab.
1. I have created a custom device configuration profile.
2. Add the OMA-URI settings with the following value.

OMA-URI: ./User/Vendor/MSFT/PassportForWork/<tenant id>/Policies/PINComplexity/Digits
Data type: integer
Value: 1
85517-image.png

3.Then I assign the it to the same user group as the one identity protection device configuration profile.
4.After the restart, I find it works: and change PIN is asked.
85571-image.png

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (13.3 KiB)
image.png (19.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DatTruongManh-1313, How's everything going? I am writing to see if there's anything else we can help. If yes, feel free to let us know.

0 Votes 0 ·

@Crystal-MSFT, currently this temporary solution is working well for deploying restrictions, but it could be better if this requirement can be configured via Windows Hello for Business interface in the next updates though. It would make the management much easier for admins.

0 Votes 0 ·