Thankfully, Windows 10 includes the PIN complexity feature, which allows you to set up a complex PIN with special characters, uppercase/lowercase letters. The PIN is not limited to four digits and can be as complex as a text-based Windows password. In this tutorial, we will show you how to change/enable PIN complexity requirements policy in Windows 10. Many Windows 10 users have adopted Windows PIN as their only local authentication method. Despite all its advantages, there are a few disadvantages to using the Hello PIN to log into your account. One of the biggest complaints from users is the inability to create a more complex PIN to make your account even more secure. Fortunately, there are some methods you can use to change the complexity requirements of your PIN to meet your settings on Windows 10. There are several options that you can configure in the Group Policy Editor to manage your PIN requests. Read on to learn more about how you can do this. Azure Government is experiencing a known issue with PIN reset on devices connected to Azure AD. When the user tries to start the PIN reset, the PIN reset UI displays an error page that says „We cannot open this page at this time.“ The ConfigureWebSignInAllowedUrls policy can be used to work around this problem.
If this issue occurs and you are using Azure US Government Cloud, set login.microsoftonline.us as the value for the ConfigureWebSignInAllowedUrls policy. However, it would be nice if they explained this and told you to delete and recreate the PIN to avoid the old requirements. Now develop a new PIN for your device with the default requirements. When creating a new PIN, think about how and where you use your computer or device. If it`s a desktop computer that you use at home or in your own isolated office, you can probably get by with a simpler PIN. If it`s a laptop you use on the go or a work computer that other people can access, you`ll probably want a longer, stronger PIN. Go to the | Computer Configuration Administrative Templates | | PIN Complexity system, where you can define requirements for PINs that your users can create (Figure G). You might have added your work account to your Windows 10 home computer so you can access work resources from home. And your organization may have imposed a strict PIN complexity requirement such as „Must have at least 20 digits that must not appear anywhere in the decimal extension of π.“ But now you`ve removed that work account from the PC (for example, because you`ve switched to another PC since you`re your primary computer working from home), but the system won`t allow you to go back to a four-digit PIN.
If you try to change the PIN, you`ll be notified that it doesn`t meet the PIN requirements of the work account you`ve already deleted. For some reason, PIN complexity requests are stored with the PIN, so the PIN change must always comply with complexity requirements. However, if you delete it and create a new PIN, the weakest new requirements will be used. However, the Group Policy Editor in Windows 10 allows you to change the requirements for which an important PIN should be. If you remove the PIN, you will receive a stern warning that your fingerprint and other credentials will be invalidated. And that`s my guess as to why the PIN complexity requirements are still applied: because the complex PIN is used to protect certain resources, and moving to a weaker PIN would put those resources at risk. Instead, you need to delete the PIN (completely lose access to these resources) and then create a new PIN (which does not have access to these sensitive resources). Unless your organization has changed the settings, the default requirements for a Windows Hello PIN are as follows (Figure C): Key trust on Azure AD hybrid devices does not support destructive lockscreen PIN cleanups. This is because of the synchronization delay between when a user provides Windows Hello for Business credentials and the ability to use them to sign in. For this deployment model, you must deploy a non-destructive PIN reset to reset the PIN button above the lock for it to work.
This option specifies the minimum character length that users should be allowed to use when setting their PIN. Setting this number to a number greater than 4 increases the security of the PIN by making it more complex. Using Group Policy, Microsoft Intune, or a compatible MDM solution, you can configure Windows devices to safely use the Microsoft PIN Reset Service, which allows users to reset their forgotten PIN without needing to re-enroll. Those of you who create a PIN to secure your password in Windows probably rely on a 4-digit number by default, but did you know that you can create a longer, more complex PIN? You can create a PIN with 6, 8, 10, 12 digits or more. You can also create a PIN with special letters and characters, as well as numbers. The trick is to create a PIN that is as strong and secure as possible, but simple enough to remember and enter every time. And if you`re an IT administrator, you can control the PINs created by your users through Group Policy. Be your company`s Microsoft Insider by reading these tips, tricks, and cheat sheets for Windows and Office. You can set your PIN when you set up and customize Windows for the first time, but let`s say you already have a PIN and want to change it to something more complex.
To do this in Windows 10, go to Settings and then Accounts. Select the entry for connection options. In the Windows Hello PIN section, click the Edit button (Figure A). PIN enrollment was first introduced in Windows 8, which allows users to sign in with a four-digit number. The PIN is really short and simple and could easily be compromised by hackers. If you select this option, you can specify the maximum length of characters that a user can use in a PIN. However, the range must be between 4 and 127, as allowed by Windows. Try explicitly disabling the WHFB policy if you do not want to enable it.
You may need to „enable“ it temporarily so that you can change the „special characters in the PIN“ to „Unauthorized“ or whatever else you want to set before saving the policy. Set the number of invalid logon attempts allowed, and then click OK. Using these options in the Group Policy Editor may not be as effective as using them in combination. For example, if a PIN were to contain both uppercase and lowercase letters, as well as special characters and numeric characters, the PIN file would be very complex to decipher by social engineering. You need to remove the PIN completely and then add it again. An online password is transmitted to the server – it can be intercepted during transmission or stolen from a server. A PIN is local to the device – it is not transmitted anywhere and is not stored on the server. When the PIN is created, it establishes a trust relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, the authentication key is unlocked and the key is used to sign the request sent to the authentication server. Note, however, that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section. Below are two methods you can use to do this. If you have Windows 10 Home, method 1 is not applicable, so please start directly with method 2.
Before you can reset PINs remotely, your devices must be configured to enable PIN recovery. Follow the instructions below to configure your devices with Microsoft Intune, Group Policy objects (GPOs), or configuration service providers (CSPs).