Enable PIN Complexity in Windows 10
Windows 10 provides a few different ways for users to login, like using the regular password, Windows Hello, PIN, etc. The PIN login, which was first introduced in Windows 8, makes it very easy to log into your user account. The PIN authentication makes it easy and secure because you don’t have to enter your actual password (usually, Microsoft account password) each and every time you unlock or turn on your system. Thus, even if your PIN is compromised, your other devices which use the same Microsoft account won’t get compromised.
That being said, you may not be comfortable protecting your system with a simple PIN that just uses numbers. Thankfully, Windows lets you add complex requirements to the login PIN, like minimum length, special characters, letters, etc., to improve its effectiveness. Here’s how to enable PIN complexity in Windows 10.
The above action will open the Group Policy Editor. Here, navigate to “Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business -> PIN Complexity.”
Once there, you will see a set of policies on the right panel. You can enable each policy individually to set PIN complexity. Here’s what each policy means.
Require Digits: Forces users to have digits in their PIN
Require Lowercase Letters: Forces users to have at least one lowercase letter in their PIN
Minimum PIN Length: With this policy you can force users to have their PIN meet the minimum length set by you
Maximum PIN Length: Just like the minimum length, you can set maximum length using this policy. By default, the maximum length is 127 characters
Expiration: This policy lets you set the number of days before the PIN expires and forces users to create a new PIN
History: Using this policy you can force users to not set previously used PINs
Require Special Characters: Forces users to have at least one special character in their PIN. The special characters are ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
Require Uppercase Letters: As you can tell from the name, this policy requires users to have at least one uppercase letter in their PIN.
To set a policy, all you have to do is double-click on the policy and then select the option “Enabled.”
For instance, to enforce the minimum length rule, double-click on the “Minimum PIN Length” policy, select the “Enabled” radio button, set the minimum length in the Options field and then click on the “Ok” button to save the changes.
As I said before, you can enable each and every policy individually. Enable the policies you think better suit your environment. For instance, I’ve enabled the minimum length, expiration, and special character policies.
Once you are done setting up the PIN complexity, restart your system or use the below command as an administrator to make the changes take effect.
gpupdate.exe /force
After the changes take effect, the rules are enforced, and whenever a user tries to set their PIN, Windows will let them know all the available rules and will enforce the rules set by you.
If you are using the home version of Windows 10, then you won’t have access to the Group Policy Editor. In that case you can use the Windows Registry Editor.
To get started, press “Win + R,” type regedit and press the Enter button.
After opening the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity
Note: if you cannot find the “PINComplexity” key, then create one. Just right-click on the “PassportForWork” key, and select the option “New -> Key.”
Just like when you are using the Group Policy Editor, you need to create separate DWORD values for each policy. For instance, if you want to enforce the special character policy, you need to right-click on the right panel, and then select the option “New -> DWORD Value.”
Name the key as “SpecialCharacters.”
After naming the key, double-click on it, enter the “Value Data” as “1” and then click on the “OK” button to save the changes.
Below are the different DWORD value names that you should use when you are enforcing different PIN Complexity policies.
Require Digits: Digits
Require Lowercase Letters: LowercaseLetters
Minimum PIN Length: MinimumPINLength
Maximum PIN Length: Maximum PIN Length
Expiration: Expiration
History: History
Require Special Characters: SpecialCharacters
Require Uppercase Letters: UppercaseLetters
One thing to keep in mind while using the DWORD values Expiration, History, MinimumPINLength, and Maximum PIN Length is that you need to use the hexadecimal numbers as the Value Data. You can use this free tool to convert normal numbers to hexadecimal numbers.
Excluding the above-mentioned values, you can set the Value Data of all the other values to “1” to enable the policy and “0” to disable the policy.
Also, only create the DWORD values of the PIN complexity policies you want to enforce. For instance, if you don’t want to enforce the “Uppercase letters” in the PIN, then there is no need for you to create the “UppercaseLetters” DWORD value.