Windows Hello for Business policy settings

This reference article provides a comprehensive list of policy settings for Windows Hello for Business. The list of settings is sorted alphabetically and organized in four categories:

  • Feature settings: used to enable Windows Hello for Business and configure basic options
  • PIN setting: used to configure PIN authentication, like PIN complexity and recovery
  • Biometric setting: used to configure biometric authentication
  • Smart card settings: used to configure smart card authentication used in conjunction with Windows Hello for Business

For information about how to configure these settings, see Configure Windows Hello for Business.

Select one of the tabs to see the list of available settings:

Setting Name CSP GPO
Configure device unlock factors
Configure dynamic lock factors
Use a hardware security device
Use certificate for on-premises authentication
Use cloud (Kerberos) trust for on-premises authentication
Use Windows Hello for Business

Configure device unlock factors

Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified.

If you enable this policy setting, the user must use one factor from each list to successfully unlock. If you disable or don't configure this policy setting, users can continue to unlock with existing options.

Path
CSP ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock
GPO Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

For more information, see Multi-factor unlock.

Configure dynamic lock factors

Configure a comma separated list of signal rules in the form of xml for each signal type.

  • If you enable this policy setting, the signal rules are evaluated to detect user absence and automatically lock the device
  • If you disable or don't configure the setting, users can continue to lock with existing options
Path
CSP ./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock
GPO Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

Use a hardware security device

A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it can't be used on other devices.

  • If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude TPM revision 1.2 modules, which prevents Windows Hello for Business provisioning on those devices

    Tip

    The TPM 1.2 specification only allows the use of RSA and the SHA-1 hashing algorithm. TPM 1.2 implementations vary in policy settings, which may result in support issues as lockout policies vary. It's recommended to exclude TPM 1.2 devices from Windows Hello for Business provisioning. -If you disable or don't configure this policy setting, the TPM is still preferred, but all devices can provision Windows Hello for Business using software if the TPM is nonfunctional or unavailable.

Path
CSP ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice

./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices/TPM12
GPO Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

Use certificate for on-premises authentication

Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authentication.

  • If you enable this policy setting, Windows Hello for Business enrolls a sign-in certificate that is used for on-premises authentication
  • If you disable or don't configure this policy setting, Windows Hello for Business will use a key or a Kerberos ticket (depending on other policy settings) for on-premises authentication
Path
CSP ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth
GPO Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

User Configuration > Administrative Templates > Windows Components > Windows Hello for Business

Use cloud trust for on-premises authentication

Use this policy setting to configure Windows Hello for Business to use the cloud Kerberos trust model.

  • If you enable this policy setting, Windows Hello for Business uses a Kerberos ticket retrieved from authenticating to Microsoft Entra ID for on-premises authentication
  • If you disable or don't configure this policy setting, Windows Hello for Business uses a key or certificate (depending on other policy settings) for on-premises authentication
Path
CSP ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth
GPO Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

Note

Cloud Kerberos trust is incompatible with certificate trust. If the certificate trust policy setting is enabled, it takes precedence over this policy setting.

Use Windows Hello for Business

  • If you enable this policy, the device provisions Windows Hello for Business using keys or certificates for all users
  • If you disable this policy setting, the device doesn't provision Windows Hello for Business for any user
  • If you don't configure this policy setting, users can provision Windows Hello for Business

Select the option Don't start Windows Hello provisioning after sign-in when you use a non-Microsoft solution to provision Windows Hello for Business:

  • If you select Don't start Windows Hello provisioning after sign-in, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
  • If you don't select Don't start Windows Hello provisioning after sign-in, Windows Hello for Business automatically starts provisioning after the user has signed in
Path
CSP ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork

./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonProvisioning
GPO Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

User Configuration > Administrative Templates > Windows Components > Windows Hello for Business