The purpose of this post is to quickly publish details of some changes designed to create distinction of our next generation credential, now called Windows Hello for Business and its associated PIN. If you are currently managing an enterprise computing environment utilizing Windows 10 with Windows Hello then you should read this article to determine if you need to take action.
Please note that these changes should only affect Active Directory domain joined devices. Standalone devices and home PCs aren’t experiencing this change in the same way.
Recap on Windows Hello in Windows 10 Version 1511
Previously, there have been two paths to use Windows Hello (Biometric/PIN sign in) in your business:
1. You don’t deploy any additional infrastructure & you allow users to enrol a PIN or biometrics if they choose (this was the default)
2. You deployed Microsoft Passport for Work, which was the enterprise-grade, next generation credential that can be used to replace passwords.
While using Passport for Work (now called Windows Hello for Business) offers huge security benefits, many organizations have yet to deploy the security technology, and are typically using #1 in the list above today. This is the focus of this article.
The default behavior in Windows 10 Version 1511 is to allow users to enroll for a PIN (and Biometrics if the supported hardware is present) – the Settings app gives the user an “Add” button to initiate this flow:
What this dialog doesn’t tell you is that since IT hasn’t configured Passport for Work infrastructure (Now called Windows Hello for Business), what you’re actually doing is creating a ‘convenience’ PIN.
A Convenience PIN is very different to a Passport for Work (now called Windows Hello for Business) PIN because unlike the more secure option, it is merely a wrapper for the user’s domain password.
The result of doing the enrollment above is that the users password is cached and substituted by the local system when signing in with a Convenience PIN.
As mentioned, Windows 10, Version 1511 allows this type of enrolment by default. The reason is so that businesses and home users of all types can leverage Windows Hello Biometric logon from day one, and gain the simplicity of logging on using a gesture, without needing to deploy infrastructure.
The control of this functionality was achieved through the “Use Passport for Work” group policy setting, or the “Use Biometrics” setting. Setting the “Turn on convenience PIN sign-in” had no effect and only applied to Windows 8.x. (Note that this GP setting might also appear as "Turn on PIN sign-in" - it's the same setting that was renamed in Windows 10.)
So, What's Changed?
Starting in Windows 10, Version 1607, the default behavior to allow convenience PIN creation has changed.
The new default is that convenience PINs cannot be created on domain joined machines unless you specifically enable it via policy:
This has implications for the following scenarios:
- For newly built machines that are running 1607, you’ll notice that the options to configure PINs are greyed out and unavailable to users, whereas previously they were.
- For machines that are upgraded to Windows 10, Version 1607 that have convenience PINs and biometrics enabled already for existing user accounts – they’ll still be able to sign in after the upgrade. That particular user will also be able to change their PIN, reset their PIN and remove their PIN:
However, if they do remove their PIN, they'll be unable to add one again or enrol Biometrics (because bio requires a PIN):
In this scenario, this user can't use biometrics until the organisation deploys Windows Hello for Business infrastructure, or re-enables Convenience PIN sign in with policy.
This is potentially a problem if your users have adopted PIN/Bio sign in and are expecting it to continue working the same way as it has previously. Specifically:
- New users won't be able to enroll
- Existing users won't be able to enroll on new or other PCs
- If a user with a PIN and Biometric enrolment removes it, it can't be added again
If you wish to enable the original functionality for both scenarios above, you must specifically enable the Group Policy setting for Convenience PIN sign-in. You do this by setting the “Turn on convenience PIN sign-in”, which now controls the Convenience PIN behavior in Windows 10. (Note that this GP setting might also appear as "Turn on PIN sign-in" - it's the same setting that was renamed in Windows 10.)
In summary, if you are looking to deploy Windows Hello for Business (formally Microsoft Passport for Work) then this might be the perfect opportunity to move to that more secure credential and not re-instate the convenience PIN sign in. However, if you have happy with the convenience PIN sign in functionality and security, you should enable the “Turn on convenience PIN sign-in” GP setting before you upgrade so that users can continue to use Windows Hello and not be interrupted by the upgrade.