After you set a PIN for an azure ad account on your laptop that PIN can be used only on your laptop

Inhaltsverzeichnis Show

Create a Windows Hello for Business policy
Windows Holographic for Business support

JoeJankowiak-3187 asked • Jun 21, '21 | JamesHamil-MSFT answered • Jul 1, '21

Network setup:
All of our users are in an on-premise AD account, which syncs with Azure Active Directory Connect using password hash authentication (hybrid setup).

Problem
I want users to be able to use a PIN to signin to their machines. I setup a GPO to enable PIN authentication and that has been working fine. I realized though as soon as users sign into their office account using their azure user account, Windows Hello Pin sometimes becomes unavailable. I've been able to help those users set pins by disconnecting their work account from the control panel, setting a pin, then resigning into office.

Last week I rolled out single sign on for office so now it auto authenticates their work account upon signin. This has stopped my trick of signing out to set a pin from working (even if I sign out of office it doesn't let me set it).

Current Group Policy
I believe for the users that do have pins its a convivence pin and not windows hello for business (though on my account I was able to setup a pin and it says "Windows Hello PIN". My only GPO settings for enabling the pin are to set the registry AllowDomainPinLogin and PIN Complexity set to 4.

Question
I've looked through the documentation for Windows hello and it honestly looks overwhelming to setup. I've started to play with it but haven't had much success as theres a lot of documentation to read through. I'm not really sure why my pin works when not signed into office, but then signing in to office disables it. Is there some setting in Azure that is changing it from convince to windows hello pin?

I do want to eventually figure out windows hello, but for the time being I've got people asking me to set a pin so convivence pins are the way to go for now as it sometimes works.

windows-group-policyazure-ad-connect

Comment

Article
12/22/2021
5 minutes to read

You can integrate Windows Hello for Business with Microsoft Intune, during device enrollment.

Hello for Business is an alternative sign-in method that uses Active Directory or an Azure Active Directory account to replace a password, smart card, or a virtual smart card. It lets you use a user gesture to sign in, instead of a password. A user gesture might be a PIN, biometric authentication such as Windows Hello, or an external device such as a fingerprint reader.

Intune integrates with Hello for Business in two ways:

Tenant wide (this article): An Intune policy can be created under Device enrollment. This policy targets the entire organization (tenant-wide). It supports the Windows AutoPilot out-of-box-experience (OOBE) and is applied when a device enrolls.
Discrete groups: For devices that have previously enrolled with Intune, use a device configuration Identity protection profile to configure devices for Windows Hello for Business. Identity protection profiles can target assigned users or devices, and apply during check-in.

In addition, Intune supports the following types of policy to manage some settings for Windows Hello for Business:

The remainder of this article focuses on creating a default Windows Hello for Business policy that targets your entire organization.

Important

Prior to the Anniversary Update, you could set two different PINS that could be used to authenticate to resources:

The device PIN could be used to unlock the device and connect to cloud resources.
The work PIN was used to access Azure AD resources on user's personal devices (BYOD).

In the Anniversary Update, these two PINS were merged into one single device PIN. Any Intune configuration policies you set to control the device PIN, and additionally, any Windows Hello for Business policies you configured, now both set this new PIN value. If you have set both policy types to control the PIN, the Windows Hello for Business policy is applied. To ensure policy conflicts are resolved and that the PIN policy is applied correctly, update your Windows Hello for Business Policy to match the settings in your configuration policy, and ask your users to sync their devices in the Company Portal app.

Create a Windows Hello for Business policy

Sign in to the Microsoft Endpoint Manager admin center.
Go to Devices > Enrollment > Enroll devices > Windows enrollment > Windows Hello for Business. The Windows Hello for Business pane opens.
Select from the following options for Configure Windows Hello for Business:
- Enabled. Select this setting if you want to configure Windows Hello for Business settings. When you select Enabled, additional settings for Windows Hello are visible and can be configured for devices.
- Disabled. If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
- Not configured. Select this setting if you don't want to use Intune to control Windows Hello for Business settings. Any existing Windows Hello for Business settings on 10/11 devices isn't changed. All other settings on the pane are unavailable.
If you selected Enabled in the previous step, configure the required settings that are applied to all enrolled Windows 10/11 devices. After you configure these settings, select Save.
- Use a Trusted Platform Module (TPM):
  
  A TPM chip provides an additional layer of data security. Choose one of the following values:
  - Required (default). Only devices with an accessible TPM can provision Windows Hello for Business.
  - Preferred. Devices first attempt to use a TPM. If this option isn't available, they can use software encryption.
- Minimum PIN length and Maximum PIN length:
  
  Configures devices to use the minimum and maximum PIN lengths that you specify to help ensure secure sign-in. The default PIN length is six characters, but you can enforce a minimum length of four characters. The maximum PIN length is 127 characters.
- Lowercase letters in PIN, Uppercase letters in PIN, and Special characters in PIN.
  
  You can enforce a stronger PIN by requiring the use of uppercase letters, lowercase letters, and special characters in the PIN. For each, select from:
  - Allowed. Users can use the character type in their PIN, but it isn't mandatory.
  - Required. Users must include at least one of the character types in their PIN. For example, it's common practice to require at least one uppercase letter and one special character.
  - Not allowed (default). Users must not use these character types in their PIN. (This is also the behavior if the setting isn't configured.)
    
    Special characters include: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
- PIN expiration (days):
  
  It's a good practice to specify an expiration period for a PIN, after which users must change it. The default is 41 days.
- Remember PIN history:
  
  Restricts the reuse of previously used PINs. By default, the last 5 PINs can't be reused.
- Allow biometric authentication:
  
  Enables biometric authentication, such as facial recognition or fingerprint, as an alternative to a PIN for Windows Hello for Business. Users must still configure a work PIN in case biometric authentication fails. Choose from:
  - Yes. Windows Hello for Business allows biometric authentication.
  - No. Windows Hello for Business prevents biometric authentication (for all account types).
- Use enhanced anti-spoofing, when available:
  
  Configures whether the anti-spoofing features of Windows Hello are used on devices that support it. For example, detecting a photograph of a face instead of a real face.
  
  When set to Yes, Windows requires all users to use anti-spoofing for facial features when that is supported.
- Allow phone sign-in:
  
  If this option is set to Yes, users can use a remote passport to serve as a portable companion device for desktop computer authentication. The desktop computer must be Azure Active Directory joined, and the companion device must be configured with a Windows Hello for Business PIN.
- Use security keys for sign-in:
  
  When set to Enable, this setting provides the capacity for remotely turning ON/OFF Windows Hello Security Keys for all computers in a customer's organization.