This tutorial will show you how to change minimum Windows Hello PIN length requirements for all local and Microsoft accounts on a Windows 10 or Windows 11 PC.
Windows Hello PIN is safer than a password. The PIN is bound to the device so hackers cannot steal it and sign-in to your account from a remote device. A Windows Hello PIN can be complex and use a combination of letters, numbers, and special characters. A Windows Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to the TPM, therefore PINs are considered more secure than local passwords.
Users Windows Hello PIN can't be longer than 127 characters by default.
Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. If you configure this policy setting, the PIN length must be less than or equal to this number.
If you change the maximum PIN length, users will be required to change their PIN to meet the new PIN complexity requirements if not already met.
References:
Windows Hello for Business policy settings
Learn about the policy settings to configure Configure Windows Hello for Business.
learn.microsoft.com
Configure Windows Hello - Microsoft Support
Learn how to sign into your PC with Windows Hello using a PIN, facial recognition, or fingerprint.
support.microsoft.com
You must be signed in as an administrator to change the minimum Windows Hello PIN length.
Contents
- Option One: Change Maximum Windows Hello PIN Length in Local Group Policy Editor
- Option Two: Change Maximum Windows Hello PIN Length in Registry Editor
EXAMPLE: Default Windows Hello PIN complexity requirements
The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.
All editions can use Option Two below.
1 Open the Local Group Policy Editor (gpedit.msc).
2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below step 3)
Computer Configuration > Administrative Templates > System > PIN Complexity
3 In the right pane of PIN Complexity, double click/tap on the Maximum PIN length policy to edit it. (see screenshot below)
4 Do step 5 (change) or step 6 (default) below for what you would like to do.
5 Change Maximum Windows Hello PIN Length
A) Select (dot) Enabled. (see screenshot below)
B) Under "Options", enter a number between 4 and 127 for the Maximum PIN length you want.
The Maximum PIN length must be higher than the Minimum PIN length.
C) Click/tap on OK, and go to step 7 below.
6 Default Maximum Windows Hello PIN Length
This is the default setting.
A) Select (dot) Not Configured. (see screenshot below)
B) Click/tap on OK, and go to step 7 below.
7 Close the Local Group Policy Editor.
8 Restart the computer to apply.
1 Open Registry Editor (regedit.exe).
2 Do step 3 (change) or step 4 (default) below for what you would like to do.
3 Change Maximum Windows Hello PIN Length
A) Navigate to the key below in the left pane of Registry Editor. (see screenshot below step 3B)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity
If you do not have the PassportForWork key, then right click or press and hold on the Microsoft key, click/tap on New, click/tap on Key, type PassportForWork, and press Enter.
If you do not have the PINComplexity key, then right click or press and hold on the PassportForWork key, click/tap on New, click/tap on Key, type PINComplexity, and press Enter.
B) In the right pane of the PINComplexity key, double click/tap on the MaximumPINLength DWORD to modify it. (see screenshot below)
If you do not have a Expiration DWORD, then right click or press and hold on an empty area in the right pane of the PINComplexity key, click/tap on New, click/tap on DWORD (32-bit) Value, type MaximumPINLength, and press Enter.
C) Select (dot) Decimal, enter a number between 4 to 127 for the maximum PIN length you want, click/tap on OK, and go to step 5 below. (see screenshot below)
The MaximumPINLength must be higher than the MinimumPINLength.
4 Default Maximum Windows Hello PIN Length
This is the default setting.
A) Navigate to the key below in the left pane of Registry Editor. (see screenshot below step 4B)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity
B) In the right pane of the PINComplexity key, right click on the MaximumPINLength DWORD, and click/tap on Delete. (see screenshot below)
C) Click/tap on Yes to confirm, and go to step 5 below. (see screenshot below)
5 Close Registry Editor.
6 Restart the computer to apply.
That's it,
Shawn Brink
Last edited:
