Hey everyone! I'm curious about your opinions on Windows Hello for Business (WHfB), especially for devices that are hybrid joined. If you're using WHfB, what settings do you apply for PIN strength? I recently transitioned to using hybrid joined Entra devices, and Intune unexpectedly required users to set up a PIN. Now, I'm debating whether to disable the feature or keep it. If I do keep it, is the standard 6-digit PIN strong enough, or should I consider increasing the length?
10 Answers
I suggest setting a minimum of 6 digits, and allow letters and special characters. Another idea is to encourage users to create easy-to-remember phrases—like "MyDogIsAwesome"—as secure PINs. People usually don't forget those!
We use WHfB and keep it to a 5-digit numeric PIN for dedicated users. A 6-digit one often leads to predictable choices like birth dates. For shared PCs, we issue YubiKeys, and it’s working well for us!
I faced this during our last rollout. The default 6-digit PIN didn’t feel secure enough, so we switched to longer PINs with special characters after a bit of resistance. It’s definitely better to be safe now than to regret it later. Plus, we added LayerX Security to monitor any browser gaps, since that's where many attacks happen.
Just be careful about legacy or custom apps; they might not play well with WHfB.
The Microsoft Security score only gives you credit if the PIN is at least 6 digits long, so definitely stick to that if you're aiming to boost your security score.
I’d say it's worth keeping WHfB since it’s inherently more secure than traditional passwords. Even if a device is compromised, the PIN won’t work for logging into services like Office 365, which helps prevent password theft. In terms of length, if the PIN is randomly generated, a 6-digit one should be adequate.
I think for WHfB, you should go for a minimum of 5 or 6 digits. Plus, it’s a good idea to set up cloud Kerberos and prioritize biometrics as your go-to method. Remember, a simple 6-digit PIN doesn’t have the same effectiveness as a longer password!
Are you allowing random PINs or just sticking to custom 6-digit ones?
We decided to completely disable WHfB and just use web login for device access. It lets us stick with the same MFA process.
I see that for shared devices, but for 1:1 user setups? Your users must not enjoy that!
Do you also turn off the password credential provider at the login screen?
Are you implementing this for hybrid devices too?
We ended up disabling Windows Hello entirely, but that’s mainly because we handle a lot of military contracts. If your security requirements are less strict, WHfB might really suit your needs.
It’s strange to disable it since Hello offers way more security than a basic password.
You might want to rethink that choice. Windows Hello is really secure when it’s set up correctly!
Don’t forget that WHfB authentication is tied to the TPM, which reduces the risk of the PIN being compromised on another device. You can also enhance security by using multi-factor unlock with your PIN alongside biometrics. I'd definitely recommend keeping it!
Is using cloud Kerberos trust a must for WHfB? I feel like it works fine without any cloud trust setup.
Cyber Essentials actually requires a 12-digit PIN if you're using WHfB exclusively, especially since it's your main method for accessing services like Outlook.