We recommend enabling this feature across all managed computers, but you must consider the user education that is required: if the user is able to set a simple PIN number to gain access to their device, this may reduce the security compared to a complex password. While the PIN is unique to the device, some users may still use the same PIN on each device.
Users can manage their own sign in preferences by going to Start | Settings | Accounts | Sign-in options, and select the options you prefer.
Administrators can also control the configuration of this feature via Group Policy, or using Microsoft Intune. By default, the PIN option may be disabled on all domain-joined devices; refer to this page for all the Windows Hello for Business settings that can be modified: https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-manage-in-organization.
The settings to consider in Group Policy are listed in the following table:
|
Setting name |
Description |
|
Use Windows Hello for Business |
If left unconfigured, the user can control the behavior. Otherwise, the administrator has the choice to enable or disable the feature. |
|
Use a hardware security device |
This setting determines if the computer will be forced to use the Trusted Platform Module (TPM) chip (if available), of if a software option can be used instead. The TPM chip is the most secure method, but allowing a software option allows greater compatibility across all devices and still provides better security than passwords alone. |
|
Use biometrics |
Enables or disables the use of biometrics. If disabled, only a PIN can be used. If enabled, the PIN is only used if the biometrics are unavailable or inconclusive (for example, face recognition may not work if there is too much light or visual distractions). |
|
PIN Complexity |
There is a range of settings available under this option, and each needs to be considered carefully to ensure any attempts to increase security don't negatively impact the usability. The idea of using a PIN instead of a password is to simplify the login process whilst also making it more secure: if the PIN is forced to be too long and complex, the user will treat it the same way as they do their passwords (writing them down, making them easy to guess, and so on) A 6-digit pin is generally complicated enough to thwart a simple attack while still being user friendly. If the device is lost or stolen, the attacker will have to guess the right PIN combination within the time it takes to report the theft and change the user's account password. |
|
Phone Sign-in |
While not currently supported, this is a feature to keep track of for future use. It is currently being trialed on some secure web portals; instead of the user entering their password, PIN, or biometrics, this feature will send a request to an app on their mobile phone to provide the second factor of authentication. This way, even if the laptop is stolen, they would still need to sign in to the mobile phone as well to gain access. |