Create a Windows Hello for Business Policy

Windows Hello for Business provides secure, password-less authentication for Windows devices by leveraging biometric factors and PIN-based protections tied to the device. This policy standardizes how Windows Hello for Business is configured and enforced across your organization, improving security posture, reducing credential theft risk, and delivering a consistent sign-in experience for users.

Prerequisites

• Devices must be enrolled in Windows MDM (Mobile Device Management).
• Target devices must be running Windows 10 version 1511 (10.0.10586) or later. This policy is supported on the following Windows editions:
  • Windows Pro
  • Windows Enterprise
  • Windows Education
  • Windows SE
  • IoT Enterprise
  • IoT Enterprise LTSC
• For more information on device compatibility, see Agent Compatibility, System Requirements, and Impacts.

Creating the policy 

To create the policy:

1. Log in to the JumpCloud Admin Portal.

2. Go to Device Management > Policy Management.
3. In the All tab, click (+).
4. On the Add Policy panel, select the Windows tab.
5. Search for and select Windows Hello for Business policy from the list, then click configure.
6. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
7. (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.

Configuring the Policy Settings

In the Settings section, enter the relevant details:

General Settings

• Tenant ID – Enter your Microsoft Entra (Azure AD) Directory ID to link the device to your organization. This is a mandatory field.
• Require Security Device (TPM) – Select to ensure Windows Hello for Business only provisions on devices with a functional Trusted Platform Module (TPM).
• Disallow TPM 1.2 Modules – Select to block older, less secure TPM 1.2 chips and require TPM 2.0 for certificate storage.
• Enable PIN Recovery – Select to allow users to reset a forgotten PIN using the Windows Hello recovery service without losing access.
• Enable Provisioning for FIDO2 Security Keys – Select to allow users to set up and use FIDO2-compliant physical keys as a sign-in method.
• Disable Post-Logon Provisioning – Select to stop the Windows Hello setup prompt from appearing immediately after a user signs in.
• Use Certificate For On-Premise Authentication – Select to use certificates for local authentication when connecting to on-premises resources.
• Use Cloud Trust For On-Premise Authentication – Select to use Microsoft Entra ID (Azure AD) Kerberos for a simpler, "cloud-only" path to on-premises resources.

PIN Complexity

• Minimum PIN Length – Enter the lowest number of characters allowed (minimum 4).
• Maximum PIN Length – Enter the highest number of characters allowed (maximum 127).
• Uppercase Letters in PIN – Select a value from the dropdown menu to allow, or disallow at least one capital letter (A–Z).
• Lowercase Letters in PIN – Select a value from the dropdown menu to allow, or disallow at least one small letter (a–z).
• Special Characters in PIN – Select a value from the dropdown menu to allow, or disallow symbols (for example, !, #, $).
• Digits in PIN – Select a value from the dropdown menu to allow, or disallow the use of numbers (0–9).
• PIN History – Enter the number of previous PINs to remember to prevent users from reusing old ones.
• PIN Expiration (Days) – Enter how often users must change their PIN (1–730 days).

Biometrics & Security

• Enable Phone Sign-in (Remote Passport) – Select to allow a paired smartphone to act as a companion device for desktop authentication.
• Use Windows Hello for Business Certificates as Smart Card Certificates – Select to treat Windows Hello credentials as virtual smart cards for legacy application compatibility.
• Use Biometrics – Select to allow users to sign in using face or fingerprint recognition instead of just a PIN.
• Use Enhanced Anti-Spoofing for Facial Features – Select to require high-quality infra-red imaging to prevent the use of photos or masks to bypass face login.
• Enable Enhanced Sign-in Security (ESS) – Select to isolate biometric data in a secure hardware "enclave" to protect against sophisticated malware.

Advanced Authentication

• Group A Authentication Providers (First Step) – Choose the primary credentials ( PIN, Fingerprint) required for the first stage of device unlock.
• Group B Authentication Providers (Second Step) – Choose the secondary credentials required to complete a multi-factor device unlock.
• Enable Dynamic Lock – Select to automatically lock the Windows device when a paired Bluetooth device (like a phone) goes out of range.
• Dynamic Lock Signal Plugins – Enter specific hardware or signal rules used to determine when a device is "out of range."
• Use Security Key for Sign-in – Select to allow physical FIDO2 security keys to be used as the primary sign-in method for the Windows lock screen.

Assigning and Applying the Policy

1. (Optional) Select the Policy Groups tab. Select one or more policy groups where you want to add this policy. 
2. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
3. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
4. Click Save. If prompted, click Save again. 
5. Users must log out and back in to all devices where this policy was applied for it to take effect.