From 01f7774740c59d3811fac1765a388974951e0a58 Mon Sep 17 00:00:00 2001
From: mapalko <mapalko@microsoft.com>
Date: Thu, 16 Apr 2020 15:18:00 -0700
Subject: [PATCH] updating PIN complexity MDM settings

---
 .../hello-manage-in-organization.md           | 177 +++++-------------
 1 file changed, 46 insertions(+), 131 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index b957c2cc87..93619515f1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -15,26 +15,27 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 4/2/2020
+ms.date: 10/18/2017
 ---
 
 # Manage Windows Hello for Business in your organization
 
 **Applies to**
--   Windows 10
+
+- Windows 10
 
 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
 
 >[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. 
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
 >
->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
 >
 >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
- 
+
 ## Group Policy settings for Windows Hello for Business
 
-The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
+The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
 
 > [!NOTE]
 > Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **PIN Complexity**.
@@ -42,15 +43,13 @@ The following table lists the Group Policy settings that you can configure for W
 <table>
 <tr>
 <th colspan="2">Policy</th>
-<th>Scope</th>
 <th>Options</th>
 </tr>
 <tr>
 <td>Use Windows Hello for Business</td>
 <td></td>
-<td>Computer or user</td>
 <td>
-<p><b>Not configured</b>: Device does not provision Windows Hello for Business for any user.</p>
+<p><b>Not configured</b>: Users can provision Windows Hello for Business, which encrypts their domain password.</p>
 <p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
 <p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
 </td>
@@ -58,37 +57,15 @@ The following table lists the Group Policy settings that you can configure for W
 <tr>
 <td>Use a hardware security device</td>
 <td></td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.</p>
+<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM.</p>
 <p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
 </td>
 </tr>
 <tr>
-<td>Use certificate for on-premises authentication</td>
-<td></td>
-<td>Computer or user</td>
-<td>
-<p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.</p>
-<p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.</p>
-<p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.</p>
-</td>
-</tr>
-<td>Use PIN recovery</td>
-<td></td>
-<td>Computer</td>
-<td>
-<p>Added in Windows 10, version 1703</p>
-<p><b>Not configured</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
-<p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.</p>
-<p><b>Disabled</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
-</td>
-</tr>
-<tr>
 <td>Use biometrics</td>
 <td></td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN.</p>
 <p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.</p>
@@ -98,7 +75,6 @@ The following table lists the Group Policy settings that you can configure for W
 <tr>
 <td rowspan="8">PIN Complexity</td>
 <td>Require digits</td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: Users must include a digit in their PIN.</p>
 <p><b>Enabled</b>: Users must include a digit in their PIN.</p>
@@ -107,7 +83,6 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Require lowercase letters</td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: Users cannot use lowercase letters in their PIN.</p>
 <p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.</p>
@@ -116,7 +91,6 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Maximum PIN length</td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: PIN length must be less than or equal to 127.</p>
 <p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.</p>
@@ -125,7 +99,6 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Minimum PIN length</td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: PIN length must be greater  than or equal to 4.</p>
 <p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.</p>
@@ -134,7 +107,6 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Expiration</td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: PIN does not expire.</p>
 <p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.</p>
@@ -143,7 +115,6 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>History</td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: Previous PINs are not stored.</p>
 <p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.</p>
@@ -154,7 +125,6 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Require special characters</td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: Users cannot include a special character in their PIN.</p>
 <p><b>Enabled</b>: Users must include at least one special character in their PIN.</p>
@@ -163,7 +133,6 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Require uppercase letters</td>
-<td>Computer</td>
 <td>
 <p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.</p>
 <p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.</p>
@@ -171,9 +140,9 @@ The following table lists the Group Policy settings that you can configure for W
 </td>
 </tr>
 <tr>
-<td>Phone Sign-in</td>
-<td>Use Phone Sign-in</td>
-<<td>Computer</td>
+<td>&gt;Phone Sign-in</td>
+<td>
+<p>Use Phone Sign-in</p>
 </td>
 <td>
 <p>Not currently supported.</p>
@@ -198,7 +167,7 @@ The following table lists the MDM policy settings that you can configure for Win
 <tr>
 <td>UsePassportForWork</td>
 <td></td>
-<td>Device or user</td>
+<td>Device</td>
 <td>True</td>
 <td>
 <p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
@@ -210,7 +179,7 @@ The following table lists the MDM policy settings that you can configure for Win
 <tr>
 <td>RequireSecurityDevice</td>
 <td></td>
-<td>Device or user</td>
+<td>Device</td>
 <td>False</td>
 <td>
 <p>True: Windows Hello for Business will only be provisioned using TPM.</p>
@@ -218,28 +187,6 @@ The following table lists the MDM policy settings that you can configure for Win
 </td>
 </tr>
 <tr>
-<td>Exclude Security Device</td>
-<td>TPM12</td>
-<td>Device</td>
-<td>False</td>
-<td>
-<p>Added in Windows 10, version 1703</p>
-<p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.</p>
-<p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.</p>
-</td>
-</tr>
-<tr>
-<td>EnablePinRecovery</td>
-<td></td>
-<td>Device or user</td>
-<td>False</td>
-<td>
-<p>Added in Windows 10, version 1703</p>
-<p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.</p>
-<p>False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
-</td>
-</tr>
-<tr>
 <td rowspan="2">Biometrics</td>
 <td>
 <p>UseBiometrics</p>
@@ -270,19 +217,41 @@ The following table lists the MDM policy settings that you can configure for Win
 <tr>
 <td>Digits </td>
 <td>Device or user</td>
-<td>2 </td>
+<td>1 </td>
 <td>
-<p>1: Numbers are not allowed. </p>
-<p>2: At least one number is required.</p>
+<p>0: Numbers are allowed. </p>
+<p>1: At least one number is required.</p>
+<p>2: Numbers are not allowed. </p>
 </td>
 </tr>
 <tr>
 <td>Lowercase letters </td>
 <td>Device or user</td>
-<td>1 </td>
+<td>2</td>
 <td>
-<p>1: Lowercase letters are not allowed. </p>
-<p>2: At least one lowercase letter is required.</p>
+<p>0: Lowercase letters are allowed. </p>
+<p>1: At least one lowercase letter is required.</p>
+<p>2: Lowercase letters are not allowed. </p>
+</td>
+</tr>
+<tr>
+<td>Special characters</td>
+<td>Device or user</td>
+<td>2</td>
+<td>
+<p>0: Special characters are allowed. </p>
+<p>1: At least one special character is required. </p>
+<p>2: Special characters are not allowed.</p>
+</td>
+</tr>
+<tr>
+<td>Uppercase letters</td>
+<td>Device or user</td>
+<td>2</td>
+<td>
+<p>0: Uppercase letters are allowed. </p>
+<p>1: At least one uppercase letter is required.</p>
+<p>2: Uppercase letters are not allowed. </p>
 </td>
 </tr>
 <tr>
@@ -306,7 +275,7 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Device or user</td>
 <td>0</td>
 <td>
-<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire. 
+<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
 </p>
 </td>
 </tr>
@@ -315,29 +284,11 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Device or user</td>
 <td>0</td>
 <td>
-<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. 
+<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
 </p>
 </td>
 </tr>
 <tr>
-<td>Special characters</td>
-<td>Device or user</td>
-<td>1</td>
-<td>
-<p>1: Special characters are not allowed. </p>
-<p>2: At least one special character is required.</p>
-</td>
-</tr>
-<tr>
-<td>Uppercase letters</td>
-<td>Device or user</td>
-<td>1</td>
-<td>
-<p>1: Uppercase letters are not allowed </p>
-<p>2: At least one uppercase letter is required</p>
-</td>
-</tr>
-<tr>
 <td>Remote</td>
 <td>
 <p>UseRemotePassport</p>
@@ -351,47 +302,11 @@ The following table lists the MDM policy settings that you can configure for Win
 </table>
 
 >[!NOTE]
-> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
-
-## Policy conflicts from multiple policy sources
-
-Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
-
-Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source.
-
-Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis.  
-
->[!Note]
-> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
-
-><b>Examples</b>
->
->The following are configured using computer Group Policy:
->
->- Use Windows Hello for Business - Enabled
->- User certificate for on-premises authentication - Enabled
->- Require digits - Enabled
->- Minimum PIN length - 6
->
->The following are configured using device MDM Policy:
->
->- UsePassportForWork - Disabled
->- UseCertificateForOnPremAuth - Disabled
->- MinimumPINLength - 8
->- Digits - 1
->- LowercaseLetters - 1
->- SpecialCharacters - 1
->
->Enforced policy set:
->
->- Use Windows Hello for Business - Enabled
->- Use certificate for on-premises authentication - Enabled
->- Require digits - Enabled
->- Minimum PIN length - 6
+> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
 
 ## How to use Windows Hello for Business with Azure Active Directory
 
-There are three scenarios for using Windows Hello for Business in Azure AD–only organizations:
+There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: 
 
 - **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
 - **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. 

Policy		Scope	Options
Use Windows Hello for Business		Computer or user	- Not configured: Device does not provision Windows Hello for Business for any user. + Not configured: Users can provision Windows Hello for Business, which encrypts their domain password. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device does not provision Windows Hello for Business for any user.
Use a hardware security device		Computer	Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. - Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set. + Enabled: Windows Hello for Business will only be provisioned using TPM. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Use certificate for on-premises authentication		Computer or user	- Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication. - Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication. - Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication. -
Use PIN recovery		Computer	- Added in Windows 10, version 1703 - Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. - Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. - Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. -
Use biometrics		Computer	Not configured: Biometrics can be used as a gesture in place of a PIN. Enabled: Biometrics can be used as a gesture in place of a PIN. @@ -98,7 +75,6 @@ The following table lists the Group Policy settings that you can configure for W
PIN Complexity	Require digits	Computer	Not configured: Users must include a digit in their PIN. Enabled: Users must include a digit in their PIN. @@ -107,7 +83,6 @@ The following table lists the Group Policy settings that you can configure for W
	Require lowercase letters	Computer	Not configured: Users cannot use lowercase letters in their PIN. Enabled: Users must include at least one lowercase letter in their PIN. @@ -116,7 +91,6 @@ The following table lists the Group Policy settings that you can configure for W
	Maximum PIN length	Computer	Not configured: PIN length must be less than or equal to 127. Enabled: PIN length must be less than or equal to the number you specify. @@ -125,7 +99,6 @@ The following table lists the Group Policy settings that you can configure for W
	Minimum PIN length	Computer	Not configured: PIN length must be greater than or equal to 4. Enabled: PIN length must be greater than or equal to the number you specify. @@ -134,7 +107,6 @@ The following table lists the Group Policy settings that you can configure for W
	Expiration	Computer	Not configured: PIN does not expire. Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. @@ -143,7 +115,6 @@ The following table lists the Group Policy settings that you can configure for W
	History	Computer	Not configured: Previous PINs are not stored. Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. @@ -154,7 +125,6 @@ The following table lists the Group Policy settings that you can configure for W
	Require special characters	Computer	Not configured: Users cannot include a special character in their PIN. Enabled: Users must include at least one special character in their PIN. @@ -163,7 +133,6 @@ The following table lists the Group Policy settings that you can configure for W
	Require uppercase letters	Computer	Not configured: Users cannot include an uppercase letter in their PIN. Enabled: Users must include at least one uppercase letter in their PIN. @@ -171,9 +140,9 @@ The following table lists the Group Policy settings that you can configure for W
Phone Sign-in	Use Phone Sign-in	Computer	>Phone Sign-in	+ Use Phone Sign-in	Not currently supported. @@ -198,7 +167,7 @@ The following table lists the MDM policy settings that you can configure for Win
UsePassportForWork		Device or user	Device	True	True: Windows Hello for Business will be provisioned for all users on the device. @@ -210,7 +179,7 @@ The following table lists the MDM policy settings that you can configure for Win
RequireSecurityDevice		Device or user	Device	False	True: Windows Hello for Business will only be provisioned using TPM. @@ -218,28 +187,6 @@ The following table lists the MDM policy settings that you can configure for Win
Exclude Security Device	TPM12	Device	False	- Added in Windows 10, version 1703 - True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. - False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. -
EnablePinRecovery		Device or user	False	- Added in Windows 10, version 1703 - True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. - False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. -
Biometrics	UseBiometrics @@ -270,19 +217,41 @@ The following table lists the MDM policy settings that you can configure for Win
Biometrics	Digits	Device or user	2	1	- 1: Numbers are not allowed. - 2: At least one number is required. + 0: Numbers are allowed. + 1: At least one number is required. + 2: Numbers are not allowed.
Lowercase letters	Device or user	1	2	- 1: Lowercase letters are not allowed. - 2: At least one lowercase letter is required. + 0: Lowercase letters are allowed. + 1: At least one lowercase letter is required. + 2: Lowercase letters are not allowed. +
Special characters	Device or user	2	+ 0: Special characters are allowed. + 1: At least one special character is required. + 2: Special characters are not allowed. +
Uppercase letters	Device or user	2	+ 0: Uppercase letters are allowed. + 1: At least one uppercase letter is required. + 2: Uppercase letters are not allowed.
Device or user	0	- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire. + Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
Device or user	0	- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. + Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
Special characters	Device or user	1	- 1: Special characters are not allowed. - 2: At least one special character is required. -
Uppercase letters	Device or user	1	- 1: Uppercase letters are not allowed - 2: At least one uppercase letter is required -
Remote	UseRemotePassport @@ -351,47 +302,11 @@ The following table lists the MDM policy settings that you can configure for Win