Manage Windows Hello for Business in your organization

Applies to

You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running WindowsВ 10.

The Group Policy setting Turn on PIN sign-in does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.

Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting Turn on convenience PIN sign-in.

Use PIN Complexity policy settings to manage PINs for Windows Hello for Business.

Group Policy settings for Windows Hello for Business

The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in User configuration and Computer Configuration under Policies > Administrative Templates > Windows Components > Windows Hello for Business.

Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: Computer Configuration > Administrative Templates > System > PIN Complexity.

Not configured: Device does not provision Windows Hello for Business for any user.

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

Disabled: Device does not provision Windows Hello for Business for any user.

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication.

Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.

Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.

Added in Windows 10, version 1703

Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

For more information about using the PIN recovery service for PIN reset see Windows Hello for Business PIN Reset.

Not configured: Biometrics can be used as a gesture in place of a PIN.

Enabled: Biometrics can be used as a gesture in place of a PIN.

Disabled: Only a PIN can be used as a gesture.

Not configured: Users must include a digit in their PIN.

Enabled: Users must include a digit in their PIN.

Disabled: Users cannot use digits in their PIN.

Not configured: Users cannot use lowercase letters in their PIN.

Enabled: Users must include at least one lowercase letter in their PIN.

Disabled: Users cannot use lowercase letters in their PIN.

Not configured: PIN length must be less than or equal to 127.

Enabled: PIN length must be less than or equal to the number you specify.

Disabled: PIN length must be less than or equal to 127.

Not configured: PIN length must be greater than or equal to 4.

Enabled: PIN length must be greater than or equal to the number you specify.

Disabled: PIN length must be greater than or equal to 4.

Not configured: PIN does not expire.

Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.

Disabled: PIN does not expire.

Not configured: Previous PINs are not stored.

Enabled: Specify the number of previous PINs that can be associated to a user account that can’t be reused.

Disabled: Previous PINs are not stored.

Not configured: Users cannot include an uppercase letter in their PIN.

Enabled: Users must include at least one uppercase letter in their PIN.

Disabled: Users cannot include an uppercase letter in their PIN.

Not currently supported.

MDM policy settings for Windows Hello for Business

The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the PassportForWork configuration service provider (CSP).

Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.

Policy		Scope	Options
Use Windows Hello for Business	Computer or user
Use a hardware security device	Computer
Use certificate for on-premises authentication	Computer or user
PIN Complexity	Require digits	Computer
	Require lowercase letters	Computer
	Require special characters	Computer	Not configured: Users cannot include a special character in their PIN. Enabled: Users must include at least one special character in their PIN. Disabled: Users cannot include a special character in their PIN.
	Require uppercase letters	Computer
	Phone Sign-in	Use Phone Sign-in	Computer

True: Windows Hello for Business will be provisioned for all users on the device.

False: Users will not be able to provision Windows Hello for Business.

Added in Windows 10, version 1703

True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.

False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.

Added in Windows 10, version 1703

True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

For more information about using the PIN recovery service for PIN reset see Windows Hello for Business PIN Reset.

True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.

False: Only a PIN can be used as a gesture for domain sign-in.

Not configured: users can choose whether to turn on enhanced anti-spoofing.

True: Enhanced anti-spoofing is required on devices which support it.

False: Users cannot turn on enhanced anti-spoofing.

0: Digits are allowed.

1: At least one digit is required.

2: Digits are not allowed.

0: Lowercase letters are allowed.

1: At least one lowercase letter is required.

2: Lowercase letters are not allowed.

0: Special characters are allowed.

1: At least one special character is required.

2: Special characters are not allowed.

0: Uppercase letters are allowed.

1: At least one uppercase letter is required.

2: Uppercase letters are not allowed.

Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.

Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire.

Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.

Not currently supported.

In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.

Policy conflicts from multiple policy sources

Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.

Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy.

Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source.

All PIN complexity policies, are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis.

Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.

The following are configured using computer Group Policy:

• Use Windows Hello for Business — Enabled
• User certificate for on-premises authentication — Enabled

The following are configured using device MDM Policy:

• UsePassportForWork — Disabled
• UseCertificateForOnPremAuth — Disabled
• MinimumPINLength — 8
• Digits — 1
• LowercaseLetters — 1
• SpecialCharacters — 1

Enforced policy set:

• Use Windows Hello for Business — Enabled
• Use certificate for on-premises authentication — Enabled
• MinimumPINLength — 8
• Digits — 1
• LowercaseLetters — 1
• SpecialCharacters — 1

How to use Windows Hello for Business with Azure Active Directory

There are three scenarios for using Windows Hello for Business in Azure AD–only organizations:

• Organizations that use the version of Azure AD included with Office 365. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
• Organizations that use the free tier of Azure AD. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
• Organizations that have subscribed to Azure AD Premium have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.

If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.

Обзор предварительных условий развертывания Windows Hello для бизнеса Windows Hello for Business Deployment Prerequisite Overview

В этой статье перечислены требования к инфраструктуре для различных моделей развертывания для Windows Hello для бизнеса. This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.

Исключительно облачное развертывание Cloud Only Deployment

• Windows10 версии1511 или более поздней Windows 10, version 1511 or later
• Учетная запись Microsoft Azure Microsoft Azure Account
• Azure Active Directory Azure Active Directory
• Многофакторная идентификация Azure AD Azure AD Multi-Factor Authentication
• Современные средства управления (Intune или поддерживаемое стороннее решение MDM), необязательно Modern Management (Intune or supported third-party MDM), optional
• Подписка на Azure AD Premium — необязательно, требуется для автоматической регистрации в MDM, когда устройство присоединяется к Azure Active Directory Azure AD Premium subscription — optional, needed for automatic MDM enrollment when the device joins Azure Active Directory

Гибридные развертывания Hybrid Deployments

В таблице приведены минимальные требования для каждого развертывания. The table shows the minimum requirements for each deployment. Для ключевого доверия к развертыванию с несколькими доменами и несколькими лесами для каждого домена/леса, в котором размещена Windows Hello для бизнес-компонентов или участвует в процессе направления Kerberos, применимы следующие требования. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.

Policy		Scope	Default	Options
UsePassportForWork	Device or user	True
RequireSecurityDevice	Device or user	False	True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
ExcludeSecurityDevice	TPM12	Device	False
EnablePinRecovery	Device or user	False
PINComplexity
	Digits	Device or user	1
	Lowercase letters	Device or user	2
	Special characters	Device or user	2
	Uppercase letters	Device or user	2
	Maximum PIN length	Device or user	127
	Minimum PIN length	Device or user	4

Доверие на основе ключей Key trust Управление посредством групповых политик Group Policy managed	Доверие на основе сертификатов Certificate trust Смешанное управление Mixed managed	Доверие на основе ключей Key trust Управление современными средствами Modern managed	Доверие на основе сертификатов Certificate trust Управление современными средствами Modern managed
Windows10 версии1511 или более поздней Windows 10, version 1511 or later	Гибридные устройства, присоединенные к Azure AD: Hybrid Azure AD Joined: Минимум: Windows 10 версии 1703 Minimum: Windows 10, version 1703 Лучшая производительность: Windows 10 версии 1709 или более поздней версии (поддерживается синхронная регистрация сертификатов). Best experience: Windows 10, version 1709 or later (supports synchronous certificate enrollment). Устройства, присоединенные к Azure AD: Azure AD Joined: Windows10 версии1511 или более поздней Windows 10, version 1511 or later	Windows10 версии1511 или более поздней Windows 10, version 1511 or later	Windows10 версии1511 или более поздней Windows 10, version 1511 or later
Windows Server 2016 или более поздней схемы Windows Server 2016 or later Schema	Windows Server 2016 или более поздней схемы Windows Server 2016 or later Schema	Windows Server 2016 или более поздней схемы Windows Server 2016 or later Schema	Windows Server 2016 или более поздней схемы Windows Server 2016 or later Schema
Режим работы домена/леса Windows Server2008R2 Windows Server 2008 R2 Domain/Forest functional level	Режим работы домена/леса Windows Server2008R2 Windows Server 2008 R2 Domain/Forest functional level	Режим работы домена/леса Windows Server2008R2 Windows Server 2008 R2 Domain/Forest functional level	Режим работы домена/леса Windows Server2008R2 Windows Server 2008 R2 Domain/Forest functional level
Контроллеры домена Windows Server 2016 или более поздней версии Windows Server 2016 or later Domain Controllers	Контроллеры домена Windows Server2008R2 или позднее Windows Server 2008 R2 or later Domain Controllers	Контроллеры домена Windows Server 2016 или более поздней версии Windows Server 2016 or later Domain Controllers	Контроллеры домена Windows Server2008R2 или позднее Windows Server 2008 R2 or later Domain Controllers
Центр сертификации Windows Server2012 или позднее Windows Server 2012 or later Certificate Authority	Центр сертификации Windows Server2012 или позднее Windows Server 2012 or later Certificate Authority	Центр сертификации Windows Server2012 или позднее Windows Server 2012 or later Certificate Authority	Центр сертификации Windows Server2012 или позднее Windows Server 2012 or later Certificate Authority
— N/A	Windows Server 2016 AD FS с обновлением KB4088889 (гибридные клиенты, присоединенные к Azure AD) Windows Server 2016 AD FS with KB4088889 update (hybrid Azure AD joined clients), и and служба регистрации сертификатов для сетевых устройств Windows Server2012 или более поздней версии (присоединение к Azure AD) Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined)	Н/Д N/A	Служба регистрации сертификатов для сетевых устройств Windows Server2012 или более поздней версии Windows Server 2012 or later Network Device Enrollment Service
Клиент Azure MFA или Azure MFA tenant, or AD FS с адаптером Azure MFA или AD FS w/Azure MFA adapter, or AD FS с адаптером сервера Azure MFA или AD FS w/Azure MFA Server adapter, or AD FS со сторонним адаптером MFA AD FS w/3rd Party MFA Adapter	Клиент Azure MFA или Azure MFA tenant, or AD FS с адаптером Azure MFA или AD FS w/Azure MFA adapter, or AD FS с адаптером сервера Azure MFA или AD FS w/Azure MFA Server adapter, or AD FS со сторонним адаптером MFA AD FS w/3rd Party MFA Adapter	Клиент Azure MFA или Azure MFA tenant, or AD FS с адаптером Azure MFA или AD FS w/Azure MFA adapter, or AD FS с адаптером сервера Azure MFA или AD FS w/Azure MFA Server adapter, or AD FS со сторонним адаптером MFA AD FS w/3rd Party MFA Adapter	Клиент Azure MFA или Azure MFA tenant, or AD FS с адаптером Azure MFA или AD FS w/Azure MFA adapter, or AD FS с адаптером сервера Azure MFA или AD FS w/Azure MFA Server adapter, or AD FS со сторонним адаптером MFA AD FS w/3rd Party MFA Adapter
Учетная запись Azure Azure Account	Учетная запись Azure Azure Account	Учетная запись Azure Azure Account	Учетная запись Azure Azure Account
Azure Active Directory Azure Active Directory	Azure Active Directory Azure Active Directory	Azure Active Directory Azure Active Directory	Azure Active Directory Azure Active Directory
Azure AD Connect Azure AD Connect	Azure AD Connect Azure AD Connect	Azure AD Connect Azure AD Connect	Azure AD Connect Azure AD Connect
Azure AD Premium (необязательно) Azure AD Premium, optional	Azure AD Premium, необходимая для записи устройства Azure AD Premium, needed for device write-back	Azure AD Premium (необязательно, для автоматической регистрации в MDM) Azure AD Premium, optional for automatic MDM enrollment	Azure AD Premium (необязательно, для автоматической регистрации в MDM) Azure AD Premium, optional for automatic MDM enrollment

Гибридные развертывания поддерживают неразрушительные сбросы ПИН-кода, которые работают как с доверием сертификата, так и с ключевыми моделями доверия. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. Требования: Requirements: Служба сброса ПИН-кода Майкрософт — Windows 10, версии 1709 — 1809, Корпоративная версия. Microsoft PIN Reset Service — Windows 10, versions 1709 to 1809, Enterprise Edition. С версии 1903 не существует лицензионного требования к этой службе There is no licensing requirement for this service since version 1903 Сброс над экраном блокировки (я забыл pin-ссылку) — Windows 10, версия 1903 Reset above lock screen (I forgot my PIN link) — Windows 10, version 1903

Локальное развертывание поддерживает деструктивный сброс ПИН-кода, который работает как с доверием сертификата, так и с ключевыми моделями доверия. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. Требования: Requirements: Сброс из параметров — Windows 10, версия 1703, Профессиональный Reset from settings — Windows 10, version 1703, Professional Сброс над экраном блокировки — Windows 10, версия 1709, Профессиональный Reset above lock screen — Windows 10, version 1709, Professional Сброс над экраном блокировки (я забыл pin-ссылку) — Windows 10, версия 1903 Reset above lock screen (I forgot my PIN link) — Windows 10, version 1903

Локальные развертывания On-premises Deployments

В таблице приведены минимальные требования для каждого развертывания. The table shows the minimum requirements for each deployment.

Доверие на основе ключей Key trust Управление посредством групповых политик Group Policy managed	Доверие на основе сертификатов Certificate trust Управление посредством групповых политик Group Policy managed
Windows10 версии1703 или более поздней Windows 10, version 1703 or later	Windows10 версии1703 или более поздней Windows 10, version 1703 or later
Схема Windows Server2016 Windows Server 2016 Schema	Схема Windows Server2016 Windows Server 2016 Schema
Режим работы домена/леса Windows Server2008R2 Windows Server 2008 R2 Domain/Forest functional level	Режим работы домена/леса Windows Server2008R2 Windows Server 2008 R2 Domain/Forest functional level
Контроллеры домена Windows Server 2016 или более поздней версии Windows Server 2016 or later Domain Controllers	Контроллеры домена Windows Server2008R2 или позднее Windows Server 2008 R2 or later Domain Controllers
Центр сертификации Windows Server2012 или позднее Windows Server 2012 or later Certificate Authority	Центр сертификации Windows Server2012 или позднее Windows Server 2012 or later Certificate Authority
AD FS Windows Server 2016 с обновлением KB4088889 Windows Server 2016 AD FS with KB4088889 update	AD FS Windows Server 2016 с обновлением KB4088889 Windows Server 2016 AD FS with KB4088889 update
AD FS со сторонним адаптером MFA AD FS with 3rd Party MFA Adapter	AD FS со сторонним адаптером MFA AD FS with 3rd Party MFA Adapter
Учетная запись Azure (необязательно, для выставления счетов за Azure MFA) Azure Account, optional for Azure MFA billing	Учетная запись Azure (необязательно, для выставления счетов за Azure MFA) Azure Account, optional for Azure MFA billing

Для развертывания ключей Windows Hello для бизнеса, если у вас есть несколько доменов, для каждого домена требуется по крайней мере один контроллер домена Windows Server 2016 или более новый. For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. Дополнительные сведения см. в руководстве по планированию. For more information, see the planning guide.