Windows Hello for Business - can setting of PIN be an optional?

In Windows Hello for Business, the PIN is a mandatory component of the authentication model and cannot be made optional. Even when biometrics (fingerprint/face recognition) are enabled tenant-wide, the PIN is required as a fallback credential and security anchor.

Therefore, users cannot use biometrics without first provisioning a PIN.

Regarding PIN history, this setting may not behave as expected if:

• The policy is not applied via the correct Intune / Group Policy scope
• There is a delay in policy refresh / device sync
• Conflicting policies exist between Intune and on-prem GPO (if hybrid joined)

Ensure the policy is correctly targeted and verified via gpresult or Intune device configuration status.

In summary, PIN cannot be skipped in Windows Hello for Business by design, and biometric-only authentication is not supported.

Hej Karthick Sekar,

Windows Hello for Business er designet på en sådan måde, at PIN-koden altid er den primære legitimationsoplysninger, og biometri (fingeraftryk, ansigtsgenkendelse) fungerer kun som en sekundær oplåsningsmekanisme. Det betyder, at PIN-koden ikke kan gøres valgfri – den er obligatorisk, fordi biometri teknisk set er knyttet til PIN-koden som en reserve. Microsofts dokumentation bekræfter, at der ikke er nogen understøttet konfiguration, hvor brugeren kan vælge biometri uden PIN-kode.

Med hensyn til PIN-historik er der en kendt begrænsning: PIN-politikker håndhæves kun, hvis de implementeres via MDM/Intune eller Gruppepolitik, og klienten er korrekt registreret i Azure AD. Hvis du har indstillet PIN-historik til 2, og det ikke virker, skyldes det typisk, at politikken ikke anvendes på enheden, eller at brugeren har cachelagrede legitimationsoplysninger, der ikke opdateres. Du kan kontrollere dette i Logbog under Program- og tjenestelogfiler → Microsoft → Windows → Brugerenhedsregistrering for at se, om politikken rent faktisk hentes.

Kort sagt: PIN-koden kan ikke gøres valgfri, og for at PIN-historikken kan fungere, skal politikken sendes via en understøttet kanal og verificeres på klienten.

Hvis mit svar er nyttigt for dig, bedes du trykke på Accepter svaret for at støtte mig.

Tak,

QQ

Windows Hello for Business always requires a PIN; it cannot be made optional if biometrics are enabled.

Biometrics (face, fingerprint, iris) in Windows Hello for Business are only an alternative gesture to unlock the same underlying credential. A PIN is always required as the fallback gesture in case biometric authentication fails. This is explicitly stated in multiple places:

• "Enables biometric authentication, such as facial recognition or fingerprint, as an alternative to a PIN for Windows Hello for Business. Users must still configure a work PIN in case biometric authentication fails."
• "Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However users must still configure a PIN to use in case of failures."

Therefore, configuring Windows Hello for Business tenant-wide with biometrics implies that users must set a PIN; there is no supported configuration where users can enroll biometrics but skip PIN creation.

Regarding PIN history not working as expected:

• PIN history is enforced as part of the Windows Hello for Business PIN policy (for example, "Remember PIN history" where by default the last 5 PINs cannot be reused).
• Policy precedence and interaction with other policies can affect behavior. Windows enforces the strictest policy across:
  • User/Computer GPO
  • PassportForWork CSP (user/device)
  • DeviceLock CSP (EAS password policies)
• If both DeviceLock (password) and PassportForWork (PIN) policies are configured, Windows applies the strictest effective settings. Also, if multiple policy sources are configured (GPO and Intune/CSP), user policies take precedence over computer policies.

To troubleshoot PIN history not applying:

1. Verify that the Windows Hello for Business PIN policy (including "Remember PIN history") is configured only once per scope where possible (for example, avoid conflicting GPO and Intune policies).
2. Check policy precedence:
   • Ensure the intended policy is applied at the highest-precedence level (for example, user GPO or user PassportForWork CSP) as described in the policy precedence list.
3. Confirm that the device has received and applied the updated policy (for Intune-managed devices, sync from Company Portal or Intune; for GPO, run a policy update and reboot if needed).
4. Ensure no DeviceLock CSP password policy is unintentionally overriding or interacting in a way that changes effective requirements.

If PIN history still appears not to work after confirming the above, validate on a freshly provisioned device or test account to rule out cached or legacy configurations.

References:

• Configure Windows Hello for Business on devices when they enroll with Intune
• Common questions about Windows Hello for Business
• Configure Windows Hello for Business
• Windows Hello for Business policy settings
• Prepare users to provision and use Windows Hello for Business
• Limiting password use