Windows Hello for Business
Windows Hello for Business is a feature that enhances security and user authentication experience by providing PIN policy and biometrics authentication. Mobile Device Manager Plus extends support for Windows Hello for Business for devices enrolled using Azure Enrollment. This policy is applicable only for devices running Windows 10 or later versions.
Profile Description
Profile Specification | Description |
---|---|
Windows Hello for Business | Enable/Disable Hello for Business policy on the devices. |
Tenant ID | Enter the Azure Tenant ID. To obtain Tenant ID, sign in to the Azure Portal > Azure Active Directory > Properties > Tenant ID. |
Digits in PIN | Specify whether to allow or restrict digits in PIN. |
Lowercase letters in PIN | Specify whether to allow or restrict the usage of lowercase letters in PIN. |
Uppercase letters in PIN | Specify whether to allow or restrict the usage of uppercase letters in PIN. |
Special characters in PIN | Specify whether to allow or restrict the usage of special characters in PIN. |
Minimum PIN length | Specify a minimum length of a PIN, for example, if you have the minimum length as 5, users will not be allowed to set a passcode with 4 characters or less. |
Maximum PIN length | Specify a maximum length of a PIN, for example if you have the minimum length as 5, users will not be allowed to set a passcode with 6 characters or more. |
PIN expiry in days | Specify the number of days the PIN to be reset. After this period, the user is forced to change the PIN. |
Remember PIN history | Specify the number of previous PINs to be maintained, so that users cannot reuse them. For example, if you have set the limit as 3, users will not be allowed to reuse the last 2 passcodes and the current passcode. |
PIN recovery | Allow or restrict the devices to use the Azure-based PIN recovery service. |
Use a Trusted Platform Module (TPM) | A TPM chip provides an additional layer of data security. If this setting is allowed, only the devices with TPM can provision Hello for Business policy. |
Biometric authentication | Allow or restrict users to authenticate using gestures, such as face and fingerprint. |
Use enhanced anti-spoofing, when available | Allow or restrict devices to use enhanced anti-spoofing for facial features when available (for example, detecting a photograph of a face instead of a real face). |
FIDO2KEY for sign-in | Allow or restrict sign-in using the FIDO2 Security Key. |
Two Factor Authentication (TFA) for device unlock | Enable or disable Two Factor Authentication (TFA) for device unlock. |
First factor for authentication | If TFA is enabled, specify the first factor for authentication. It can be PIN, Facial recognition, Fingerprint or Trusted signals. |
Second factor for authentication | Specify the second factor for authentication. It can be PIN, Facial recognition, Fingerprint or Trusted signals. |
Dynamic lock | Allow or restrict devices to lock automatically when the Bluetooth paired signal falls or the system is idle. |
Phone sign-in | Allow or restrict phone sign-in. |
Jump To