Forum Discussion
Disabling pin while keeping windows hello enabled
We would like to keep the use of windows hello biometrics but instead of a pin, could I force the Microsoft account password? Due to some security requirements, devices are required to have a 14 alphanumeric password with special characters. This gets pretty annoying when we have our devices lock after a minute of inactivity which is why we keep windows hello enabled. If we have pin enabled, it would have to meet the password requirements of 14 characters yada yada. The problem with that would be confusing the end users by having multiple long passwords.
Is there a way to have windows hello enabled but instead of the local pin, have the microsoft account password be used instead?
- Looks like the default WHfB settings maybe getting applied for you. Have you tried to implement Account protection profile instead? As for your question on using pin as an authentication method, you can possibly set the desired credential provider including password. However, first time pin setup will still be a requirement.
- Hi,
not sure what you are aiming for here, but WhfB will always be a "replacement" for your password. You could look into multi-factor unlock perhaps? https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
Please use WhfB the right way: go passwordless.- that was probably one of the worst microsoft remarks going - trust me the pin is no the right way - biometrics fine but pin really doesn't work - I know the wonderful microsoft dream of but it's device related and security excellent - all our security team disagree totally - pins are either too easy to break or too hard to remember for users. The knock on effect is the worst tool available means most admins have to make things less secure to make sure microsoft's research comes out in the wash. I know you will disagree and fine but after years of security I've watched this game off and on and this one is exceptionally bad idea.
