Windows PIN management for PassPort For Work/Windows Hello

Use this feature to set up PIN Management for PassPort For Work/Windows Hello, including rules to manage both PINs and biometrics (iris, voice, fingerprints). You can also use it to create an identity change the AAD registration flow for future devices to take advantage of PassPort For Work/Windows Hello.

Prerequisites for setting up a PassPort For Work/Windows Hello policy are:

Enabling Microsoft Azure Menu

Enabling the Microsoft Azure Menu is a required step before you can use PassPort For Work/Windows Hello in a policy.

To enable WIP:

  1. Select Settings > System Settings > Windows > Advanced Menu.
  2. Select the Enable Microsoft Azure Menu check box.
  3. Click Save.

Enabling PassPort For Work/Windows Hello with Microsoft Azure

Enabling PassPort For Work/Windows Hello with Microsoft Azure is a required step before you can use it in a policy.

To enable pin management for PassPort For Work/Windows Hello:

  1. Select Settings > System Settings > Windows > Microsoft Azure.
  2. Select the Enable PassPort For Work/Windows Hello check box.
  3. Click Save.

Creating a PassPort For Work/Windows Hello policy

Use this feature to set up options for PIN management. You can use only one type of rule per profile.

Procedure 

  1. To create a PassPort For Work/Windows Hello policy:
  2. Select Policies & Configs > Policies.
  3. Select Add New > Windows > PassPort For Work/Windows Hello.
  4. Modify fields in the New Windows PassPort For Work/Windows Hello Policy window, as necessary.
    Refer to the New Windows PassPort For Work/Windows Hello Policy window table for details.
  5. Click Save.
  6. Apply the policy to a label.

New Windows PassPort For Work/Windows Hello Policy window

The following table summarizes fields and descriptions in the New Windows Information Protection window:

Table 68.   New Windows PassPort For Work/Windows Hello Policy Fields

Fields

Description

Name

Add the unique name of the policy.

Status

Options are Active or Inactive.

Priority

Set the priority based on other policies. Each policy has an assigned hierarchy and Priority 1 taking precedence.

Description

Add a description of the policy

User PassPort For Work/Windows Hello

Options are Enabled or Disabled

Required Trusted Platform Module

Options are Enabled or Disabled

Minimum PIN Length

Range is 4 - 127 chars. Default is 4. Cannot be less than 4.

Maximum PIN Length

Maximum value cannot be more than 127. Cannot be less than the Min value.

Uppercase Letters in PIN

Values are:

0 - Allows the use of uppercase letters in PIN

1 - Requires the use of at least one uppercase letters in PIN

2 - Does not allow the use of uppercase letters in PIN (default)

Lowercase Letters in PIN

Values are:

0 - Allows the use of lowercase letters in PIN

1 - Requires the use of at least one lowercase letters in PIN

2 - Does not allow the use of lowercase letters in PIN (default)

Special Characters in PIN

Values are:

0 - Allows the use of special characters in PIN

1 - Requires the use of at least one special characters in PIN

2 - Does not allow the use of special characters in PIN (default)

Digits in PIN

Values are:

0 - Allows the use of digits in PIN

1 - Requires the use of at least one digits in PIN

2 - Does not allow the use of digits in PIN (default)

PIN History

Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. Default is 0.

PIN Expiration

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. Default is 0.

Use Remote Passport

Options are Enabled or Disabled. Use this option to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. Default is Disabled.

Use Biomentrics

Options are Enabled or Disabled. Use this option to enable or disable the of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. Default is Disabled.

Facial Features Use Enhanced Anti-Spoofing

Options are Enabled or Disabled. Use this option to enable or disable enhanced anti-spoofing for facial feature recognition on devices which support it.

If this policy is not configured, the user can choose whether they want anti-spoofing on or off. If you set this policy to true, enhanced anti-spoofing is required on devices which support it. If you set this policy to false, enhanced anti-spoofing is turned off and the user cannot turn it on.

This value can only be set if Use Biometrics is True. If False this should not be set. Default is Enabled.

Viewing status in device details

To see the policy status on a device:

  1. Select Devices & Users > Devices.
  2. Double-click the name of device.
  3. Click the Policies tab. If the policy was pushed to the selected device, it will be listed in the table.

The status (Applied/Partially Applied) is based on if the policy has be synced to the device. If there a discrepancy in the policy the device will fall out of compliance the same as it would if passwords were out of compliance.