To configure Windows Hello for Business in your on-premises organization, you use the appropriate GPOs within the following location:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Hello for Business
To configure PIN complexity with Windows 11 (with and without Windows Hello for Business), you can use the eight PIN Complexity Group Policy settings, which allow you to control PIN creation and management.
You can deploy these policy settings to computers or users. If you deploy settings to both, then the user policy settings have precedence over computer policy settings, and GPO conflict resolution is based on the last applied policy. The policy settings included are:
- Require digits
- Require lowercase letters
- Maximum PIN length
- Minimum PIN length
- Expiration
- History
- Require special characters
- Require uppercase letters
In Windows 11, the PIN complexity Group Policy settings are located at: Administrative Templates\System\PIN Complexity (under both the Computer and User Configuration nodes).
Need More Review? Windows Hello for Business Policy Settings
To review more detailed configuration steps for Windows Hello for Business within an enterprise environment, refer to the Microsoft Learn website at https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.
If your organization is not using Windows Hello for Business, you can still use the option to set a Convenience PIN. A Convenience PIN is very different from a Windows Hello for Business PIN because it is merely a wrapper for the user’s domain password. This means that the user’s password is cached and substituted by Windows when signing in with a Convenience PIN.
The option to allow a Convenience PIN is disabled by default for domain-joined clients. To enable this feature, enable the Turn On Convenience PIN Sign-In GPO value located at Computer Configuration\Administrative Templates\System\Logon.
Using Intune to Configure Windows Hello for Business
To configure the required Windows Hello for Business settings using Intune, open the Microsoft Intune admin center and then create a device configuration profile with the Identity protection type. Use the following procedure:
- In the Microsoft Intune admin center, select Devices > Windows and click Configuration Profiles.
- Click Create profile, select Windows 10 and later, and then select Identity protection from the list of templates.
- Click Create, and then on the Basics tab, provide a name and description. Click Next.
- On the Configuration settings tab, enable the Configure Windows Hello for Business setting.
- As shown in Figure 2-6, you can configure the required settings described earlier. Click Next.
FIGURE 2-6 Enabling Windows Hello for Business with Intune
6. On the Assignments tab, assign the policy to the desired group, click Next, and then complete the wizard to complete the profile configuration.
You can also achieve the same result by using an Account protection policy in Endpoint security. Account protection policies support the configuration of the following:
- Local user group membership
- Local admin password solution (LAPS)
- Account protection
Choose Account protection. You can then follow a similar wizard-driven procedure to configure Windows Hello for Business settings.
