From 94f78453bad7c797d943b33a581704c78187a2c4 Mon Sep 17 00:00:00 2001 From: Michael Epping Date: Fri, 20 Jun 2025 10:33:25 -0700 Subject: [PATCH 1/3] Update faq.yml w/ convenience PIN details Providing more clarity on how convenience PINs do and do not work with Entra after receiving feedback from a confused customer. --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index 3a5d20bea8..fdfbfa22b6 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -177,7 +177,7 @@ sections: *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. - question: Can I use a convenience PIN with Microsoft Entra ID? answer: | - No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users. + No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory users and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to authenticate to Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations, but convience PIN will not be able to provide authentication or SSO to Entra. - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. From ae820cfcf02968c4b379e804b1e26851b4873c94 Mon Sep 17 00:00:00 2001 From: Michael Epping Date: Fri, 20 Jun 2025 10:36:47 -0700 Subject: [PATCH 2/3] Update faq.yml --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index fdfbfa22b6..8e5bac9241 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -177,7 +177,7 @@ sections: *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. - question: Can I use a convenience PIN with Microsoft Entra ID? answer: | - No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory users and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to authenticate to Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations, but convience PIN will not be able to provide authentication or SSO to Entra. + No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to access Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations used by on-premises or synchronized user accounts, but convience PIN will not be able to provide authentication or SSO to Entra. The convenience PIN may still be used for logging into the user's PC or for storing other credentials used by the organization, such as certificates or passkeys. - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. From 672c44e3d2e591db29681cb53764d284fc59f199 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Mon, 23 Jun 2025 22:20:06 +0530 Subject: [PATCH 3/3] typo fix --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index 8e5bac9241..a699721541 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -177,7 +177,7 @@ sections: *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. - question: Can I use a convenience PIN with Microsoft Entra ID? answer: | - No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to access Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations used by on-premises or synchronized user accounts, but convience PIN will not be able to provide authentication or SSO to Entra. The convenience PIN may still be used for logging into the user's PC or for storing other credentials used by the organization, such as certificates or passkeys. + No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for authenticating Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for authenticating users to on-premises Active Directory and local account users. Organizations that want to authenticate to Microsoft Entra should deploy Windows Hello for Business, which provides users with an Entra credential that can be used to access Entra-protected resources. Organizations that do not use Windows Hello for Business can choose to deploy convenience PINs on their workstations, including Entra Joined or Entra Hybrid Joined workstations used by on-premises or synchronized user accounts, but convenience PIN will not be able to provide authentication or SSO to Entra. The convenience PIN may still be used for logging into the user's PC or for storing other credentials used by the organization, such as certificates or passkeys. - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business.