Product Documentation

Windows Hello for Business device policy

Windows Hello for Business allows users to sign on to Windows devices by using their Active Directory or Azure Active Directory account. You use the Windows Hello for Business device policy to enable the feature so users can provision Windows Hello for Business on their device. The policy also lets you configure passcode limitations and other security features.

Go to Configure > Device Policies to add the Windows Hello for Business policy. Configure these settings:

Windows Phone and Windows Desktop/Tablet settings

Image of Device Policies configuration screen

  • Use Windows Hello for Business: Enable the feature to allow users to provision Windows Hello for Business on their device.
  • Require security device: Require that users have a Trusted Platform Module (TPM) to sign on.
  • Minimum/Maximum PIN length: Minimum and maximum length for user PINs. Minimum PIN Length defaults to 4. Maximum PIN Length defaults to 127.
  • Uppercase letters, Lowercase letters, Special characters: Select whether to Allow, Require, or Do not allow each type of character. Defaults to Do not allow.
  • Digits: Whether to Allow, Require, or Do not allow digits. Defaults to Require.
  • History: The number of past PINs that users can’t reuse. Defaults to 0, meaning users can reuse all PINs.
  • Expiration: The number of days before a user must change their PIN. Defaults to 0, which means that PINs don’t expire.
  • Use Biometrics: Allow the use of biometrics instead of PINs for user sign-on.

Windows Hello for Business device policy