diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md
index 5b7f08ac50..36449cf15b 100644
--- a/windows/client-management/change-history-for-mdm-documentation.md
+++ b/windows/client-management/change-history-for-mdm-documentation.md
@@ -308,7 +308,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
|[CM_CellularEntries CSP](mdm/cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
|[EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:
0 (default) – Off / No protection (decrypts previously protected data). 1 – Silent mode (encrypt and audit only). 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).|
-|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allow-list-examples).|
+|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allowlist-examples).|
|[DeviceManageability CSP](mdm/devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:Provider/ProviderID/ConfigInfo Provider/ProviderID/EnrollmentInfo|
|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:Installation/CurrentStatus|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 79b9684766..f37d240284 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -1,378 +1,2445 @@
---
title: PassportForWork CSP
-description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work).
-ms.reviewer:
+description: Learn more about the PassportForWork CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/19/2019
+ms.topic: reference
---
+
+
+
# PassportForWork CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
-
> [!IMPORTANT]
-> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
-
-### User configuration diagram
+> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+
+
The following example shows the PassportForWork configuration service provider in tree format.
-```console
-./User/Vendor/MSFT
-PassportForWork
--------TenantId
-----------Policies
--------------UsePassportForWork
--------------RequireSecurityDevice
--------------EnablePinRecovery
--------------PINComplexity
-----------------MinimumPINLength
-----------------MaximumPINLength
-----------------UppercaseLetters
-----------------LowercaseLetters
-----------------SpecialCharecters
-----------------Digits
-----------------History
-----------------Expiration
+```text
+./Device/Vendor/MSFT/PassportForWork
+--- {TenantId}
+------ Policies
+--------- EnablePinRecovery
+--------- ExcludeSecurityDevices
+------------ TPM12
+--------- PINComplexity
+------------ Digits
+------------ Expiration
+------------ History
+------------ LowercaseLetters
+------------ MaximumPINLength
+------------ MinimumPINLength
+------------ SpecialCharacters
+------------ UppercaseLetters
+--------- Remote
+------------ UseRemotePassport
+--------- RequireSecurityDevice
+--------- UseCertificateForOnPremAuth
+--------- UseCloudTrustForOnPremAuth
+--------- UseHelloCertificatesAsSmartCardCertificates
+--------- UsePassportForWork
+--- Biometrics
+------ EnableESSwithSupportedPeripherals
+------ FacialFeaturesUseEnhancedAntiSpoofing
+------ UseBiometrics
+--- DeviceUnlock
+------ GroupA
+------ GroupB
+------ Plugins
+--- DynamicLock
+------ DynamicLock
+------ Plugins
+--- SecurityKey
+------ UseSecurityKeyForSignin
+--- UseBiometrics
+./User/Vendor/MSFT/PassportForWork
+--- {TenantId}
+------ Policies
+--------- EnablePinRecovery
+--------- PINComplexity
+------------ Digits
+------------ Expiration
+------------ History
+------------ LowercaseLetters
+------------ MaximumPINLength
+------------ MinimumPINLength
+------------ SpecialCharacters
+------------ UppercaseLetters
+--------- RequireSecurityDevice
+--------- UsePassportForWork
```
+
-### Device configuration diagram
+
+## Device/{TenantId}
-The following example shows the PassportForWork configuration service provider in tree format.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-```console
-./Device/Vendor/MSFT
-PassportForWork
--------TenantId
-----------Policies
--------------UsePassportForWork
--------------RequireSecurityDevice
--------------ExcludeSecurityDevices
-----------------TPM12
--------------EnablePinRecovery
--------------UserCertificateForOnPremAuth
--------------PINComplexity
-----------------MinimumPINLength
-----------------MaximumPINLength
-----------------UppercaseLetters
-----------------LowercaseLetters
-----------------SpecialCharacters
-----------------Digits
-----------------History
-----------------Expiration
--------------Remote
-----------------UseRemotePassport
--------------UseHelloCertificatesAsSmartCardCertificates
--------UseBiometrics
--------Biometrics
-----------UseBiometrics
-----------FacialFeaturesUseEnhancedAntiSpoofing
-----------EnableESSwithSupportedPeripherals
--------DeviceUnlock
-----------GroupA
-----------GroupB
-----------Plugins
--------DynamicLock
-----------DynamicLock
-----------Plugins
--------SecurityKey
-----------UseSecurityKeyForSignin
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}
```
+
-**PassportForWork**
-Root node for PassportForWork configuration service provider.
+
+
+This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
+
-***TenantId***
-A globally unique identifier (GUID), without curly braces (`{`, `}`), that's used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
+
+
+To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
+
-***TenantId*/Policies**
-Node for defining the Windows Hello for Business policy settings.
+
+**Description framework properties**:
-***TenantId*/Policies/UsePassportForWork**
-Boolean value that sets Windows Hello for Business as a method for signing into Windows.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell. |
+
-Default value is true. If you set this policy to false, the user can't provision Windows Hello for Business.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
-***TenantId*/Policies/RequireSecurityDevice**
-Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an extra security benefit over software so that data stored in it can't be used on other devices.
+
+### Device/{TenantId}/Policies
-Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there isn't a usable TPM. If you don't configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies
+```
+
-***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1703. Root node for excluded security devices.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+
+
+Root node for policies.
+
-***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
+
+
+
-Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
+
+**Description framework properties**:
-If you disable or don't configure this policy setting, TPM revision 1.2 modules will be used with Windows Hello for Business.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+
+
-***TenantId*/Policies/EnablePinRecovery**
-Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service.
-This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service.
+
-Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.
+
+#### Device/{TenantId}/Policies/EnablePinRecovery
-If you disable or don't configure this policy setting, the PIN recovery secret won't be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnablePinRecovery
+```
+
-***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT)
-Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.
+
+
+If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
-If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
+- If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
-If you disable or don't configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
+- If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+
+
-***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT)
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/ExcludeSecurityDevices
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices
+```
+
+
+
+
+Root node for excluded security devices.
+
+
+
+
+> [!NOTE]
+> Not supported on Windows Holographic and Windows Holographic for Business.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/ExcludeSecurityDevices/TPM12
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices/TPM12
+```
+
+
+
+
+Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
+
+- If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
+
+- If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/PINComplexity
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity
+```
+
+
+
+
+Root node for PIN policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/Digits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Digits
+```
+
+
+
+
+Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of digits in PIN. |
+| 1 | Requires the use of at least one digits in PIN. |
+| 2 | Does not allow the use of digits in PIN. |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/Expiration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Expiration
+```
+
+
+
+
+This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-730]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/History
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/History
+```
+
+
+
+
+This policy specifies the number of past PINs that can be stored in the history that can't be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-50]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/LowercaseLetters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/LowercaseLetters
+```
+
+
+
+
+Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of lowercase letters in PIN. |
+| 1 | Requires the use of at least one lowercase letters in PIN. |
+| 2 | Does not allow the use of lowercase letters in PIN. |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/MaximumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MaximumPINLength
+```
+
+
+
+
+Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
+- If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+- If you do not configure this policy setting, the PIN length must be less than or equal to 127.
+
+> [!NOTE]
+> If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-127]` |
+| Default Value | 127 |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/MinimumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MinimumPINLength
+```
+
+
+
+
+Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+- If you configure this policy setting, the PIN length must be greater than or equal to this number.
+
+- If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
+
+> [!NOTE]
+> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-127]` |
+| Default Value | 4 |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/SpecialCharacters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/SpecialCharacters
+```
+
+
+
+
+Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ .
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of special characters in PIN. |
+| 1 | Requires the use of at least one special characters in PIN. |
+| 2 | Does not allow the use of special characters in PIN. |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/UppercaseLetters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/UppercaseLetters
+```
+
+
+
+
+Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of uppercase letters in PIN. |
+| 1 | Requires the use of at least one uppercase letters in PIN. |
+| 2 | Does not allow the use of uppercase letters in PIN. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/Remote
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/Remote
+```
+
+
+
+
+Root node for phone sign-in policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/Remote/UseRemotePassport
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/Remote/UseRemotePassport
+```
+
+
+
+
+Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication.
+
+Default value is false.
+
+- If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor.
+- If you disable this setting, a companion device cannot be used in desktop authentication scenarios.
+
+
+
+
+> [!NOTE]
+> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/RequireSecurityDevice
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice
+```
+
+
+
+
+A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
+
+- If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
+
+- If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/UseCertificateForOnPremAuth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth
+```
+
+
+
+
+Windows Hello for Business can use certificates to authenticate to on-premise resources.
+
+- If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
+
+- If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/UseCloudTrustForOnPremAuth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth
+```
+
+
+
+
Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
-If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+- If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
-If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
+- If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+
+
-***TenantId*/Policies/PINComplexity**
-Node for defining PIN settings.
+
+**Description framework properties**:
-***TenantId*/Policies/PINComplexity/MinimumPINLength**
-Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
-If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 4.
+
+**Allowed values**:
-> [!NOTE]
-> If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
-
-Value type is int. Supported operations are Add, Get, Delete, and Replace.
+
+
+
-***TenantId*/Policies/PINComplexity/MaximumPINLength**
-Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
-If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127.
+
+#### Device/{TenantId}/Policies/UseHelloCertificatesAsSmartCardCertificates
-> [!NOTE]
-> If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseHelloCertificatesAsSmartCardCertificates
+```
+
-***TenantId*/Policies/PINComplexity/UppercaseLetters**
-Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN.
+
+
-Valid values:
+- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
-- 0 - Allows the use of uppercase letters in PIN.
-- 1 - Requires the use of at least one uppercase letter in PIN.
-- 2 - Doesn't allow the use of uppercase letters in PIN.
-
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/LowercaseLetters**
-Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN.
-
-Valid values:
-
-- 0 - Allows the use of lowercase letters in PIN.
-- 1 - Requires the use of at least one lowercase letter in PIN.
-- 2 - Doesn't allow the use of lowercase letters in PIN.
-
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/SpecialCharacters**
-Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ .
-
-Valid values:
-
-- 0 - Allows the use of special characters in PIN.
-- 1 - Requires the use of at least one special character in PIN.
-- 2 - Doesn't allow the use of special characters in PIN.
-
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/Digits**
-Integer value that configures the use of digits in the Windows Hello for Business PIN.
-
-Valid values:
-
-- 0 - Allows the use of digits in PIN.
-- 1 - Requires the use of at least one digit in PIN.
-- 2 - Doesn't allow the use of digits in PIN.
-
-Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/History**
-Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required. This node was added in Windows 10, version 1511.
-
-The current PIN of the user is included in the set of PINs associated with the user account. PIN history isn't preserved through a PIN reset.
-
-Default value is 0.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/Expiration**
-Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511.
-
-Default is 0.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT)
-Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
-
-***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT)
-Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511.
-
-Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
-
-***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
-
-If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
+- If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
+
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**UseBiometrics**
-This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
+
+**Description framework properties**:
-**Biometrics** (only for ./Device/Vendor/MSFT)
-Node for defining biometric settings. This node was added in Windows 10, version 1511.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
-**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
-Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use if there are failures. This node was added in Windows 10, version 1511.
+
+**Allowed values**:
-Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+
+
-*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
+
-**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
-Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
+
+#### Device/{TenantId}/Policies/UsePassportForWork
-Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that don't support enhanced anti-spoofing.
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork
+```
+
-Enhanced anti-spoofing for Windows Hello face authentication isn't required on unmanaged devices.
+
+
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
-Supported operations are Add, Get, Delete, and Replace.
+- If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
-*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
+- If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
+
-**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT)
+
+
+
-If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected.
+
+**Description framework properties**:
-If you enable this policy it can have the following possible values:
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | True |
+
-**0 - Enhanced Sign-in Security Disabled** (not recommended)
+
+**Allowed values**:
-Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again.
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true (Default) | Enabled. |
+
-**1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security)
+
+
+
-Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that Enhanced Sign-in Security does not support, including that of peripheral devices, will be blocked and not available for Windows Hello.
+
-If you disable or do not configure this policy, Enhanced Sign-in Security is preferred on the device. The behavior will be the same as enabling the policy and setting the value to 1.
+
+## Device/Biometrics
-Supported operations are Add, Get, Delete, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-*Supported from Windows 11 version 22H2*
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/Biometrics
+```
+
-**DeviceUnlock** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Interior node.
+
+
+Root node for biometrics policies.
+
-**DeviceUnlock/GroupA** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the first step of authentication.
+
+
+
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+**Description framework properties**:
-**DeviceUnlock/GroupB** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the second step of authentication.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**DeviceUnlock/Plugins** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user presence.
+
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+### Device/Biometrics/EnableESSwithSupportedPeripherals
-**DynamicLock** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Interior node.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/Biometrics/EnableESSwithSupportedPeripherals
+```
+
-**DynamicLock/DynamicLock** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Enables the dynamic lock.
+
+
+Enhanced Sign-in Security (ESS) isolates both biometric template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.
+
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**DynamicLock/Plugins** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user absence.
+
+**Description framework properties**:
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-**SecurityKey** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1903. Interior node.
+
+**Allowed values**:
-Scope is permanent. Supported operation is Get.
+| Value | Description |
+|:--|:--|
+| 0 | Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended). |
+| 1 (Default) | Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security). |
+
+
+**Group policy mapping**:
-**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1903. Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
+| Name | Value |
+|:--|:--|
+| Name | Enable ESS with Supported Peripherals |
+| Path | Passport > AT > WindowsComponents > MSPassportForWorkCategory |
+
-Scope is dynamic. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-Value type is integer.
+
-Valid values:
-- 0 (default) - disabled.
-- 1 - enabled.
+
+### Device/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing
+```
+
+
+
+
+This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
+
+- If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
+
+- If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
+
+**Note** that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
+
+
+
+
+> [!NOTE]
+> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+### Device/Biometrics/UseBiometrics
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/Biometrics/UseBiometrics
+```
+
+
+
+
+Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+
+- If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
+
+- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
+
+> [!NOTE]
+> Disabling this policy prevents the use of biometric gestures on the device for all account types.
+
+
+
+
+> [!NOTE]
+> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+## Device/DeviceUnlock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DeviceUnlock
+```
+
+
+
+
+Device Unlock.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/DeviceUnlock/GroupA
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA
+```
+
+
+
+
+Contains a list of providers by GUID that are to be considered for the first step of authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+
+
+
+
+
+### Device/DeviceUnlock/GroupB
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB
+```
+
+
+
+
+Contains a list of providers by GUID that are to be considered for the second step of authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+
+
+
+
+
+### Device/DeviceUnlock/Plugins
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins
+```
+
+
+
+
+List of plugins that the passive provider monitors to detect user presence.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## Device/DynamicLock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DynamicLock
+```
+
+
+
+
+Dynamic Lock.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/DynamicLock/DynamicLock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock
+```
+
+
+
+
+Enables/Disables Dyanamic Lock.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+### Device/DynamicLock/Plugins
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DynamicLock/Plugins
+```
+
+
+
+
+List of plugins that the passive provider monitors to detect user absence.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## Device/SecurityKey
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/SecurityKey
+```
+
+
+
+
+Security Key.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/SecurityKey/UseSecurityKeyForSignin
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
+```
+
+
+
+
+Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled.
+
+
+
+
+Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft's implementation.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+
+
+
+
+
+
+## Device/UseBiometrics
+
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/UseBiometrics
+```
+
+
+
+
+THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD.
+
+Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+
+- If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
+
+- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
+
+> [!NOTE]
+> Disabling this policy prevents the use of biometric gestures on the device for all account types.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+## User/{TenantId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}
+```
+
+
+
+
+This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
+
+
+
+
+To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell. |
+
+
+
+
+
+
+
+
+
+### User/{TenantId}/Policies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies
+```
+
+
+
+
+Root node for policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### User/{TenantId}/Policies/EnablePinRecovery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnablePinRecovery
+```
+
+
+
+
+If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
+
+- If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
+
+- If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### User/{TenantId}/Policies/PINComplexity
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity
+```
+
+
+
+
+Root node for PIN policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/Digits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Digits
+```
+
+
+
+
+Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of digits in PIN. |
+| 1 | Requires the use of at least one digits in PIN. |
+| 2 | Does not allow the use of digits in PIN. |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/Expiration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Expiration
+```
+
+
+
+
+This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-730]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/History
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/History
+```
+
+
+
+
+This policy specifies the number of past PINs that can be stored in the history that can't be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-50]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/LowercaseLetters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/LowercaseLetters
+```
+
+
+
+
+Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of lowercase letters in PIN. |
+| 1 | Requires the use of at least one lowercase letters in PIN. |
+| 2 | Does not allow the use of lowercase letters in PIN. |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/MaximumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MaximumPINLength
+```
+
+
+
+
+Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
+- If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+- If you do not configure this policy setting, the PIN length must be less than or equal to 127.
+
+> [!NOTE]
+> If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-127]` |
+| Default Value | 127 |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/MinimumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MinimumPINLength
+```
+
+
+
+
+Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+- If you configure this policy setting, the PIN length must be greater than or equal to this number.
+
+- If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
+
+> [!NOTE]
+> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-127]` |
+| Default Value | 4 |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/SpecialCharacters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/SpecialCharacters
+```
+
+
+
+
+Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ .
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of special characters in PIN. |
+| 1 | Requires the use of at least one special characters in PIN. |
+| 2 | Does not allow the use of special characters in PIN. |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/UppercaseLetters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/UppercaseLetters
+```
+
+
+
+
+Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of uppercase letters in PIN. |
+| 1 | Requires the use of at least one uppercase letters in PIN. |
+| 2 | Does not allow the use of uppercase letters in PIN. |
+
+
+
+
+
+
+
+
+
+#### User/{TenantId}/Policies/RequireSecurityDevice
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice
+```
+
+
+
+
+A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
+
+- If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
+
+- If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### User/{TenantId}/Policies/UsePassportForWork
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork
+```
+
+
+
+
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+
+- If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
+
+- If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | True |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true (Default) | Enabled. |
+
+
+
+
+
+
+
+
+
+
## Examples
Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM.
@@ -604,3 +2671,10 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
```
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 9e511239d2..89dbc41c22 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -1,38 +1,90 @@
---
-title: PassportForWork DDF
-description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+title: PassportForWork DDF file
+description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/29/2019
+ms.topic: reference
---
-# PassportForWork DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# PassportForWork DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1903.
+The following XML file contains the device description framework (DDF) for the PassportForWork configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ PassportForWork
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.2
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+ This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
+
+
+
+
+
+
+
+
+
+ TenantId
+
+
+
+
+ A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell.
+
+
- PassportForWork
- ./User/Vendor/MSFT
+ Policies
+
+
+ Root node for policies.
@@ -40,985 +92,15 @@ The XML below is for Windows 10, version 1903.
-
+
+ Policies
- com.microsoft/1.6/MDM/PassportForWork
+
-
-
-
-
-
-
-
- This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
-
-
-
-
-
-
-
-
-
- TenantId
-
-
-
-
-
- Policies
-
-
-
-
-
-
- Root node for policies.
-
-
-
-
-
-
-
-
-
- Policies
-
-
-
-
-
- UsePassportForWork
-
-
-
-
-
-
-
- True
- Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
-
-If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
-
-If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RequireSecurityDevice
-
-
-
-
-
-
-
- False
- A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
-
-If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
-
-If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnablePinRecovery
-
-
-
-
-
-
-
- False
- If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
-
-If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
-
-If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PINComplexity
-
-
-
-
-
-
- Root node for PIN policies
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MinimumPINLength
-
-
-
-
-
-
-
- 4
- Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
-
-If you configure this policy setting, the PIN length must be greater than or equal to this number.
-
-If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
-
-NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MaximumPINLength
-
-
-
-
-
-
-
- 127
- Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
-
-If you configure this policy setting, the PIN length must be less than or equal to this number.
-
-If you do not configure this policy setting, the PIN length must be less than or equal to 127.
-
-NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UppercaseLetters
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LowercaseLetters
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SpecialCharacters
-
-
-
-
-
-
-
- 0
- ? @ [ \ ] ^ _ ` { | } ~ .
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]>
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Digits
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- History
-
-
-
-
-
-
-
- 0
- This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Expiration
-
-
-
-
-
-
-
- 0
- This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
- PassportForWork
- ./Device/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
-
-
-
-
-
-
-
-
-
- TenantId
-
-
-
-
-
- Policies
-
-
-
-
-
-
- Root node for policies.
-
-
-
-
-
-
-
-
-
- Policies
-
-
-
-
-
- UsePassportForWork
-
-
-
-
-
-
-
- True
- Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
-
-If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
-
-If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RequireSecurityDevice
-
-
-
-
-
-
-
- False
- A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
-
-If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
-
-If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExcludeSecurityDevices
-
-
-
-
-
-
- Root node for excluded security devices.
-
-
-
-
-
-
-
-
-
- ExcludeSecurityDevices
-
-
-
-
-
- TPM12
-
-
-
-
-
-
-
- False
- Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
-
-If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
-
-If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- EnablePinRecovery
-
-
-
-
-
-
-
- False
- If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
-
-If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
-
-If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UseCertificateForOnPremAuth
-
-
-
-
-
-
-
- False
- Windows Hello for Business can use certificates to authenticate to on-premise resources.
-
-If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
-
-If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PINComplexity
-
-
-
-
-
-
- Root node for PIN policies
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MinimumPINLength
-
-
-
-
-
-
-
- 4
- Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
-
-If you configure this policy setting, the PIN length must be greater than or equal to this number.
-
-If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
-
-NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MaximumPINLength
-
-
-
-
-
-
-
- 127
- Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
-
-If you configure this policy setting, the PIN length must be less than or equal to this number.
-
-If you do not configure this policy setting, the PIN length must be less than or equal to 127.
-
-NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UppercaseLetters
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LowercaseLetters
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SpecialCharacters
-
-
-
-
-
-
-
- 0
- ? @ [ \ ] ^ _ ` { | } ~ .
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]>
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Digits
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- History
-
-
-
-
-
-
-
- 0
- This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Expiration
-
-
-
-
-
-
-
- 0
- This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Remote
-
-
-
-
-
-
- Root node for phone sign-in policies
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- UseRemotePassport
-
-
-
-
-
-
-
- False
- Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication.
-
-Default value is false. If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. If you disable this setting, a companion device cannot be used in desktop authentication scenarios.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- UseHelloCertificatesAsSmartCardCertificates
-
-
-
-
-
-
-
- False
- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
-
-If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
-
-Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- UseBiometrics
+ UsePassportForWork
@@ -1026,16 +108,12 @@ Windows requires a user to lock and unlock their session after changing this set
- False
- THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD.
+ True
+ Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
-Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
-If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
-
-If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
-
-NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types.
+If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
@@ -1046,17 +124,111 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
- text/plain
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
- Biometrics
+ RequireSecurityDevice
+
+
+
+
+
+ False
+ A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
+
+If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
+
+If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ EnablePinRecovery
+
+
+
+
+
+
+
+ False
+ If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
+
+If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
+
+If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.3
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ PINComplexity
+
+
+
+
- Root node for biometrics policies
+ Root node for PIN policies
@@ -1064,14 +236,502 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
-
+
-
+
- UseBiometrics
+ MinimumPINLength
+
+
+
+
+
+
+
+ 4
+ Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+If you configure this policy setting, the PIN length must be greater than or equal to this number.
+
+If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
+
+NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [4-127]
+
+
+
+
+ MaximumPINLength
+
+
+
+
+
+
+
+ 127
+ Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
+If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+If you do not configure this policy setting, the PIN length must be less than or equal to 127.
+
+NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [4-127]
+
+
+
+
+ UppercaseLetters
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of uppercase letters in PIN.
+
+
+ 1
+ Requires the use of at least one uppercase letters in PIN.
+
+
+ 2
+ Does not allow the use of uppercase letters in PIN.
+
+
+
+
+
+ LowercaseLetters
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of lowercase letters in PIN.
+
+
+ 1
+ Requires the use of at least one lowercase letters in PIN.
+
+
+ 2
+ Does not allow the use of lowercase letters in PIN.
+
+
+
+
+
+ SpecialCharacters
+
+
+
+
+
+
+
+ 0
+ ? @ [ \ ] ^ _ ` { | } ~ .
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of special characters in PIN.
+
+
+ 1
+ Requires the use of at least one special characters in PIN.
+
+
+ 2
+ Does not allow the use of special characters in PIN.
+
+
+
+
+
+ Digits
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of digits in PIN.
+
+
+ 1
+ Requires the use of at least one digits in PIN.
+
+
+ 2
+ Does not allow the use of digits in PIN.
+
+
+
+
+
+ History
+
+
+
+
+
+
+
+ 0
+ This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-50]
+
+
+
+
+ Expiration
+
+
+
+
+
+
+
+ 0
+ This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-730]
+
+
+
+
+
+
+
+
+ PassportForWork
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.2
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+ This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
+
+
+
+
+
+
+
+
+
+ TenantId
+
+
+
+
+ A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell.
+
+
+
+ Policies
+
+
+
+
+
+
+ Root node for policies.
+
+
+
+
+
+
+
+
+
+ Policies
+
+
+
+
+
+ UsePassportForWork
+
+
+
+
+
+
+
+ True
+ Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+
+If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
+
+If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ RequireSecurityDevice
+
+
+
+
+
+
+
+ False
+ A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
+
+If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
+
+If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ ExcludeSecurityDevices
+
+
+
+
+
+
+ Root node for excluded security devices.
+
+
+
+
+
+
+
+
+
+ ExcludeSecurityDevices
+
+
+
+
+ 10.0.15063
+ 1.3
+
+
+
+ TPM12
@@ -1080,272 +740,1036 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
False
- Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+ Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
+
+If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
+
+If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+ EnablePinRecovery
+
+
+
+
+
+
+
+ False
+ If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
+
+If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
+
+If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.3
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ UseCertificateForOnPremAuth
+
+
+
+
+
+
+
+ False
+ Windows Hello for Business can use certificates to authenticate to on-premise resources.
+
+If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
+
+If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ UseCloudTrustForOnPremAuth
+
+
+
+
+
+
+
+ False
+ Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
+
+If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+
+If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621, 10.0.22000.527, 10.0.19044.1566
+ 1.6
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ PINComplexity
+
+
+
+
+
+
+ Root node for PIN policies
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MinimumPINLength
+
+
+
+
+
+
+
+ 4
+ Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+If you configure this policy setting, the PIN length must be greater than or equal to this number.
+
+If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
+
+NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [4-127]
+
+
+
+
+ MaximumPINLength
+
+
+
+
+
+
+
+ 127
+ Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
+If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+If you do not configure this policy setting, the PIN length must be less than or equal to 127.
+
+NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [4-127]
+
+
+
+
+ UppercaseLetters
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of uppercase letters in PIN.
+
+
+ 1
+ Requires the use of at least one uppercase letters in PIN.
+
+
+ 2
+ Does not allow the use of uppercase letters in PIN.
+
+
+
+
+
+ LowercaseLetters
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of lowercase letters in PIN.
+
+
+ 1
+ Requires the use of at least one lowercase letters in PIN.
+
+
+ 2
+ Does not allow the use of lowercase letters in PIN.
+
+
+
+
+
+ SpecialCharacters
+
+
+
+
+
+
+
+ 0
+ ? @ [ \ ] ^ _ ` { | } ~ .
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of special characters in PIN.
+
+
+ 1
+ Requires the use of at least one special characters in PIN.
+
+
+ 2
+ Does not allow the use of special characters in PIN.
+
+
+
+
+
+ Digits
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of digits in PIN.
+
+
+ 1
+ Requires the use of at least one digits in PIN.
+
+
+ 2
+ Does not allow the use of digits in PIN.
+
+
+
+
+
+ History
+
+
+
+
+
+
+
+ 0
+ This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-50]
+
+
+
+
+ Expiration
+
+
+
+
+
+
+
+ 0
+ This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-730]
+
+
+
+
+
+ Remote
+
+
+
+
+
+
+ Root node for phone sign-in policies
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UseRemotePassport
+
+
+
+
+
+
+
+ False
+ Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication.
+
+Default value is false. If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. If you disable this setting, a companion device cannot be used in desktop authentication scenarios.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+ UseHelloCertificatesAsSmartCardCertificates
+
+
+
+
+
+
+
+ False
+ If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
+
+If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
+
+Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.6
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+
+ UseBiometrics
+
+
+
+
+
+
+
+ False
+ THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD.
+
+Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FacialFeaturesUseEnhancedAntiSpoofing
-
-
-
-
-
-
-
- False
- This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+ Biometrics
+
+
+
+
+ Root node for biometrics policies
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UseBiometrics
+
+
+
+
+
+
+
+ False
+ Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+
+If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
+
+If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
+
+NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ FacialFeaturesUseEnhancedAntiSpoofing
+
+
+
+
+
+
+
+ False
+ This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
-
- DeviceUnlock
-
-
-
-
- Device Unlock
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- GroupA
-
-
-
-
-
-
-
- Contains a list of providers by GUID that are to be considered for the first step of authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- GroupB
-
-
-
-
-
-
-
- Contains a list of providers by GUID that are to be considered for the second step of authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Plugins
-
-
-
-
-
-
-
- List of plugins that the passive provider monitors to detect user presence
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DynamicLock
-
-
-
-
- Dynamic Lock
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DynamicLock
-
-
-
-
-
-
-
- False
- Enables/Disables Dyanamic Lock
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Plugins
-
-
-
-
-
-
-
- List of plugins that the passive provider monitors to detect user absence
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- SecurityKey
-
-
-
-
- Security Key
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- UseSecurityKeyForSignin
-
-
-
-
-
-
-
- 0
- Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+ EnableESSwithSupportedPeripherals
+
+
+
+
+
+
+
+ 1
+ Enhanced Sign-in Security (ESS) isolates both biometric template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.3
+
+
+
+ 0
+ Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended)
+
+
+ 1
+ Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security)
+
+
+
+ LastWrite
+
+
+
+
+ DeviceUnlock
+
+
+
+
+ Device Unlock
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.4
+
+
+
+ GroupA
+
+
+
+
+
+
+
+ Contains a list of providers by GUID that are to be considered for the first step of authentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
+
+
+ GroupB
+
+
+
+
+
+
+
+ Contains a list of providers by GUID that are to be considered for the second step of authentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
+
+
+ Plugins
+
+
+
+
+
+
+
+ List of plugins that the passive provider monitors to detect user presence
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DynamicLock
+
+
+
+
+ Dynamic Lock
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.4
+
+
+
+ DynamicLock
+
+
+
+
+
+
+
+ False
+ Enables/Disables Dyanamic Lock
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ Plugins
+
+
+
+
+
+
+
+ List of plugins that the passive provider monitors to detect user absence
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SecurityKey
+
+
+
+
+ Security Key
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.6
+
+
+
+ UseSecurityKeyForSignin
+
+
+
+
+
+
+
+ 0
+ Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ disabled
+
+
+ 1
+ enabled
+
+
+
+
+
+
```
+
+## Related articles
+
+[PassportForWork configuration service provider reference](passportforwork-csp.md)
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index f3fbe801f4..0be1069b2d 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -17,17 +17,6 @@ ms.topic: reference
# SUPL CSP
-The SUPL configuration service provider is used to configure the location client, as shown in the following:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
The SUPL configuration service provider is used to configure the location client, as shown in the following table:
- **Location Service**: Connection type
@@ -63,7 +52,7 @@ The following example shows the SUPL configuration service provider in tree form
------------ HighAccPositioningMethod
------------ LocMasterSwitchDependencyNII
------------ MCCMNCPairs
------------- NIDefaultTimeout
+------------ NIDefaultTimeout
------------ RootCertificate
--------------- Data
--------------- Name
@@ -84,11 +73,11 @@ The following example shows the SUPL configuration service provider in tree form
--------------- Name
------------ ServerAccessInterval
------------ Version
---- V2UPL1
+--- V2UPL1
------ ApplicationTypeIndicator_MR
------ LocMasterSwitchDependencyNII
------ MPC
------- NIDefaultTimeout
+------ NIDefaultTimeout
------ PDE
------ PositioningMethod_MR
------ ServerAccessInterval
@@ -502,7 +491,7 @@ For OMA DM, if the format for this node is incorrect then an entry will be ignor
-##### SUPL1/Ext/Microsoft/NIDefaultTimeout
+##### SUPL1/Ext/Microsoft/NIDefaultTimeout
| Scope | Editions | Applicable OS |
@@ -512,7 +501,7 @@ For OMA DM, if the format for this node is incorrect then an entry will be ignor
```Device
-./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/NIDefaultTimeout
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/NIDefaultTimeout
```
@@ -1325,7 +1314,7 @@ Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0
-## V2UPL1
+## V2UPL1
| Scope | Editions | Applicable OS |
@@ -1335,7 +1324,7 @@ Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0
```Device
-./Vendor/MSFT//SUPL/V2UPL1
+./Vendor/MSFT//SUPL/V2UPL1
```
@@ -1491,7 +1480,7 @@ Optional. The address of the mobile positioning center (MPC), in the format ipAd
-### V2UPL1 /NIDefaultTimeout
+### V2UPL1 /NIDefaultTimeout
| Scope | Editions | Applicable OS |
@@ -1501,7 +1490,7 @@ Optional. The address of the mobile positioning center (MPC), in the format ipAd
```Device
-./Vendor/MSFT//SUPL/V2UPL1 /NIDefaultTimeout
+./Vendor/MSFT//SUPL/V2UPL1 /NIDefaultTimeout
```
@@ -1664,21 +1653,15 @@ Optional. Integer. Defines the minimum interval of time in seconds between mobil
## Unsupported Nodes
-The following optional nodes aren't supported on Windows devices.
+The following optional nodes aren't supported on Windows devices.
-- ProviderID
-
-- Name
-
-- PrefConRef
-
-- ToConRef
-
-- ToConRef/<X>
-
-- ToConRef/<X>/ConRef
-
-- AddrType
+- ProviderID
+- Name
+- PrefConRef
+- ToConRef
+- ToConRef/<X>
+- ToConRef/<X>/ConRef
+- AddrType
If the configuration application tries to set, delete or query these nodes, a response indicating this node isn't implemented will be returned over OMA DM. In OMA Client Provisioning, the request to set this node will be ignored and the configuration service provider will continue processing the rest of the nodes.
@@ -1820,7 +1803,7 @@ The following table shows the Microsoft custom elements that this configuration
|Elements|Available|
|--- |--- |
|parm-query|Yes|
-|characteristic-query|Yes
Recursive query: No
Top level query: No
+|characteristic-query|Yes
Recursive query: No
Top level query: No|