Authentication (Desktop)

The Authentication configuration enables you to set minimum requirements for password-based user authentication on a device. You can apply this configuration when:

Complexity Requirements

Minimum Password Length Select the minimum number of characters a password must have.
Set Password Complexity Enable to set complex passwords for local and Microsoft accounts.

Select a password complexity criteria:

  • Digits Only: The profile supports any password that has a minimum of one digit.
  • Digits and Lowercase Letters: The profile supports any password that has a minimum of one digit and one lowercase letter.
  • Digits Lowercase and Uppercase Letters: The profile supports any password that has a minimum of one digit, one lowercase letter, and one uppercase letter.
    Note: A special character is an uppercase value.

Local accounts support passwords containing Digits Only, Digits and Lowercase Letters and Digits Lowercase and Uppercase Letters. However, local accounts enforce passwords with Digits Lowercase and Uppercase Letters. Irrespective of the 3 profile options, the device exhibits the behavior of the Digits Lowercase and Uppercase Letters profile. See Policy CSP - Device Lock for more information.

Microsoft accounts support passwords containing Digits Only and Digits and Lowercase Letters. Password profiles that are Digits Lowercase and Uppercase Letters are only supported when a user adds a Microsoft account to an existing local account.

To successfully assign the password complexity payload, restart the device after the successful installation of the profile. The installation status is under the Configurations tab in the device detail pop-up. Upon restart, users need to enter the existing password, and then enter a new password that complies with the assigned password complexity profile.
Note: Password complexity supports Windows 10 Version 1803 and onwards.

History

Password Expiry Select this option to enable password expiry.
Expire Password in Enter the number of days before the password expires.
Unique Password Before Reuse Select this option to set the number of unique passwords before reusing an old one.
Number of Unique Passwords Before Reuse Enter the number of unique passwords before reusing an old password.

Enforcement

You can set conditions for locking or wiping the device on the Enforcement tab.

Inactivity Before Screen Lock Specify the number of minutes of inactivity on the device before the screen becomes locked, forcing the user to reenter their password to gain access.
Note: A value of zero indicates that there is no limit.
Failed Password Attempts Set the limit of failed attempts to unlock the device before it automatically resets and enables BitLocker recovery mode. This makes the data inaccessible but recoverable. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user to use the BitLocker recovery key.
Important: You must enable BitLocker on the device to enforce this setting.

Windows Hello

Configure Windows Hello for Business
Note: This feature is supported on Windows 10 version 1903 and later.
Enable to set password complexity for Windows Hello for Business.
Select the following password complexity criteria:
  • Minimum PIN length: Enter the minimum PIN length between 4 and 127.
  • Maximum PIN length: Enter the maximum PIN length between 4 and 127.
  • Lowercase letters in PIN: From the list, select the option to allow or disallow lowercase characters in the PIN. If you select Required, then the PIN must include at least one lowercase character.
  • Uppercase letters in PIN: From the list, select the option to allow or disallow uppercase characters in the PIN. If you select Required, then the PIN must include at least one uppercase character.
  • Special characters in PIN: From the list, select the option to allow or disallow special characters in the PIN. If you select Required, then the PIN must include at least one special character.
  • Digits in PIN: From the list, select the option to allow or disallow numbers in the PIN. If you select Required, then the PIN must include at least one numeric.
  • PIN expiration (days): Configure this setting to set the number of days till a PIN expires.
    • Set PIN expiration: Enter a value to set the number of days.
  • Remember PIN history: Configure this setting to restrict PIN reuse.
    • Set Remember PIN history: Enter a value to set the number of PINs.
  • Enable PIN recovery: Enable to allow users to store, recover, and change the PIN.
  • Use a Trusted Platform Module (TPM): Enable to allow devices with a usable TPM to provide Windows Hello for Business.
  • Allow biometric authentication: Enable to authenticate use of facial and fingerprint recognition. Users must configure a PIN in case of failure.
  • Certificate for on-premise resources: Enable to use certificates to authenticate on-premise resources.
Use security keys for sign-in Enable to set Windows Hello security key as a logon credential.