locked
Any Way To Force Password Complexity For Windows Hello on Domain-joined PCs? RRS feed

  • Question

  • We are planning to get new laptops with Windows Hello compatible cameras built-in.  However, Windows Hello requires a PIN, but I don't see any way to force complexity.

    I tried setting up a PIN as 1234 as a test and it took it with no problem.  This is ridiculous.  1234 as a PIN is as useless as no PIN at all. This is not acceptable for or corporate computers.   I really can't believe Windows Hello was designed this way and a complex PIN requirement was not part of its design.

    The rationale that it cannot be harvested and used on another computer is not good enough.  A dumb PIN such as 1234 can be used by a laptop thief to access local data  and access any resources with stored credentials when such easily-guessed simple PINs are not restricted. 

    How can we set up Windows Hello to either require a PIN that meets our password complexity requirements or works with domain user account passwords instead of PINs?

    Saturday, October 31, 2015 2:10 AM

Answers

  • Hi MyGposts,

    Yes. I agree with that part.

    But the policy should work if we installed Administrative Templates for Windows 10:

    https://www.microsoft.com/en-us/download/details.aspx?id=48257

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Bruce Wooding Friday, December 4, 2015 9:58 PM
    Monday, November 9, 2015 7:05 AM

All replies

  • Hi MyGposts,

    Yes, check the article below for the policy that may have effects on the PIN:

    https://technet.microsoft.com/en-us/library/mt219734(v=vs.85).aspx

    check the table which lists the policy settings that you can configure for Passport use in your workplace.

    For more information, please see:

    https://technet.microsoft.com/en-us/library/mt589441(v=vs.85).aspx

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by lvj1001 Tuesday, November 17, 2015 1:21 AM
    • Unproposed as answer by Bruce Wooding Friday, December 4, 2015 9:59 PM
    Monday, November 2, 2015 10:11 AM
  • Hi MyGposts,

    Yes, check the article below for the policy that may have effects on the PIN:

    https://technet.microsoft.com/en-us/library/mt219734(v=vs.85).aspx

    check the table which lists the policy settings that you can configure for Passport use in your workplace.

    For more information, please see:

    https://technet.microsoft.com/en-us/library/mt589441(v=vs.85).aspx

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    That looks like that is not related to Windows Hello login.  

    We are not purchasing externally hosted Microsoft Passport or Azure AD accounts.

    Monday, November 2, 2015 5:12 PM
  • Hi MyGposts,

    Microsoft Passport is not externally hosted.

    Have you checked the second link I shared above?

    https://technet.microsoft.com/en-us/library/mt589441(v=vs.85).aspx

    This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.

    For the explanation about Windows Hello and Microsoft Passport, please check the article above.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, November 4, 2015 3:10 AM
  • To deploy it internally, you must have Server 2016 Technical Preview domain controllers or use Azure AD.

    So, this is not yet ready for production unless you are willing to have it hosted externally.

    Wednesday, November 4, 2015 4:33 AM
  • Hi MyGposts,

    Yes. I agree with that part.

    But the policy should work if we installed Administrative Templates for Windows 10:

    https://www.microsoft.com/en-us/download/details.aspx?id=48257

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Bruce Wooding Friday, December 4, 2015 9:58 PM
    Monday, November 9, 2015 7:05 AM