1. Sign in to the Microsoft Endpoint Manager admin center.
2. Go to Devices > Enroll devices > Windows enrollment > Windows Hello for Business. The Windows Hello for Business pane opens.
3. Select from the following options for Configure Windows Hello for Business:
* Enabled. Select this setting if you want to configure Windows Hello for Business settings. When you select Enabled, other settings for Windows Hello are visible and can be configured for devices.
* Disabled. If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
* Not configured. Select this setting if you don't want to use Intune to control Windows Hello for Business settings. Any existing Windows Hello for Business settings on 10/11 devices isn't changed. All other settings on the pane are unavailable.
4. If you selected Enabled in the previous step, configure the required settings that are applied to all enrolled Windows 10/11 devices. After you configure these settings, select Save.
* Use a Trusted Platform Module (TPM) :
A TPM chip provides another layer of data security. Choose one of the following values:
* Required (default). Only devices with an accessible TPM can provision Windows Hello for Business.
* Preferred. Devices first attempt to use a TPM. If this option isn't available, they can use software encryption.
* Minimum PIN length and Maximum PIN length :
Configures devices to use the minimum and maximum PIN lengths that you specify to help ensure secure sign-in. The default PIN length is six characters, but you can enforce a minimum length of four characters. The maximum PIN length is 127 characters.
* Lowercase letters in PIN, Uppercase letters in PIN, and Special characters in PIN.
You can enforce a stronger PIN by requiring the use of uppercase letters, lowercase letters, and special characters in the PIN. For each, select from:
* Allowed. Users can use the character type in their PIN, but it isn't mandatory.
* Required. Users must include at least one of the character types in their PIN. For example, it's common practice to require at least one uppercase letter and one special character.
* Not allowed (default). Users must not use these character types in their PIN. (This is also the behavior if the setting isn't configured.)
Special characters include: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
* PIN expiration (days) :
It's a good practice to specify an expiration period for a PIN, after which users must change it. The default is 41 days.
* Remember PIN history :
Restricts the reuse of previously used PINs. By default, the last 5 PINs can't be reused.
* Allow biometric authentication :
Enables biometric authentication, such as facial recognition or fingerprint, as an alternative to a PIN for Windows Hello for Business. Users must still configure a work PIN in case biometric authentication fails. Choose from:
* Yes. Windows Hello for Business allows biometric authentication.
* No. Windows Hello for Business prevents biometric authentication (for all account types).
* Use enhanced anti-spoofing, when available :
Configures whether the anti-spoofing features of Windows Hello are used on devices that support it. For example, detecting a photograph of a face instead of a real face.
When set to Yes, Windows requires all users to use anti-spoofing for facial features when that is supported.
* Allow phone sign-in :
If this option is set to Yes, users can use a remote passport to serve as a portable companion device for desktop computer authentication. The desktop computer must be Azure Active Directory joined, and the companion device must be configured with a Windows Hello for Business PIN.
* Use security keys for sign-in :
When set to Enable, this setting provides the capacity for remotely turning ON/OFF Windows Hello Security Keys for all computers in a customer's organization.
