Windows Hello for Business Features

Consider these additional features you can use after your organization deploys Windows Hello for Business.

Conditional access


  • Azure Active Directory
  • Hybrid Windows Hello for Business deployment

In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS apps, IT professionals are faced with two opposing goals:+

  • Empower the end users to be productive wherever and whenever
  • Protect the corporate assets at any time

To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain apps even for the right people? For example, it might be OK for you if the right people are accessing certain apps from a trusted network; however, you might not want them to access these apps from a network you don't trust. You can address these questions using conditional access.

Read Conditional access in Azure Active Directory to learn more about Conditional Access. Afterwards, read Getting started with conditional access in Azure Active Directory to start deploying Conditional access.

Dynamic lock


  • Windows 10, version 1703

Dynamic lock enables you to configure Windows 10 devices to automatically lock when bluetooth paired device signal falls below the maximum Recieved Signal Stregnth Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Busines. The name of the policy is Configure dynamic lock factors.

The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:


Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.

<rule schemaVersion="1.0"> 
    <signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/> 

For this policy setting, the type and scenario attribute values are static and cannot change. The classofDevice attribute defaults Phones and uses the values from the following table

Description Value
Miscellaneous 0
Computer 256
Phone 512
LAN/Network Access Point 768
Audio/Video 1024
Peripheral 1280
Imaging 1536
Wearable 1792
Toy 2048
Health 2304
Uncategorized 7936

The rssiMin attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of -10 enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The rssiMaxDelta has a default value of -10, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.

RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.

PIN reset

Hybrid Deployments


  • Azure Active Directory
  • Hybrid Windows Hello for Business deployment
  • Modern Management - Microsoft Intune, or compatible mobile device management (MDM)
  • Remote reset - Windows 10, version 1703
  • Reset above Lock - Windows 10, version 1709

The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables you to remotely push a PIN reset or enables users to reset their forgotten PIN above the lock screen without requiring reenrollment.

Onboarding the Microsoft PIN reset service to your Intune tenant

Before you can remotely reset PINs, you must onboard the Microsoft PIN reset service to your Intune or MDM tenant, and configure devices you manage. Follow these instructions to get that set up:

Connect Intune with the PIN reset service

  1. Visit Microsoft PIN Reset Service Integration website, and sign in using the tenant administrator account you use to manage your Intune tenant.
  2. After you log in, click Accept to give consent for the PIN reset service to access your account.
    PIN reset service permissions page
  3. In the Azure portal, you can verify that Intune and the PIN reset service were integrated from the Enterprise applications - All applications blade as shown in the following screenshot:
    PIN reset service application in Azure
  4. Log in to this website using your Intune tenant admin credentials and, again, choose Accept to give consent for the service to access your account.

Configure Windows devices to use PIN reset

To configure PIN reset on Windows devices you manage, use an Intune Windows 10 custom device policy to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):

  • For devices - ./Device/Vendor/MSFT/PassportForWork/tenant ID/Policies/EnablePinRecovery

tenant ID refers to your Azure Active Directory, Directory ID which you can obtain from the Properties page of Azure Active Directory.

Set the value for this CSP to True.

Read the Steps to reset the passcode section to remotely reset a PIN on an Intune managed device.

On-premises Deployments

** Requirements**

  • Active Directory
  • On-premises Windows Hello for Business deployment
  • Reset from settings - Windows 10, version 1703
  • Reset above Lock - Windows 10, version 1709

On-premises deployments provide users with the ability to reset forgotton PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then reprovision Windows Hello for Business.


Users must have corporate network connectivity to domain controllers and the AD FS server to reset their PINs.

Reset PIN from Settings

  1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
  2. Open Settings, click Accounts, click Sign-in options.
  3. Under PIN, click I forgot my PIN and follow the instructions.

Reset PIN above the Lock Screen

  1. On Windows 10, version 1709, click I forgot my PIN from the Windows Sign-in
  2. Enter your password and press enter.
  3. Follow the instructions provided by the provisioning process
  4. When finished, unlock your desktop using your newly creeated PIN.


Visit the Frequently Asked Questions section of the Windows Hello for Business page and watch the What happens when the user forgets their PIN? video.

Privileged Credentials


  • Hybrid and On-premises Windows Hello for Business deployments
  • Domain Joined or Hybrid Azure joined devices
  • Windows 10, version 1709

The privileged credentials scenario enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.

By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smart card for all users, you can configure a device to all this enumeration on selected devices.

With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting Run as different user or Run as administrator, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using runas.exe combined with the /smartcard argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads.