This tutorial will show you how to enable or disable Windows Hello PIN expiration for all local and Microsoft accounts on a Windows 10 or Windows 11 PC.
Windows Hello PIN is safer than a password. The PIN is bound to the device so hackers cannot steal it and sign-in to your account from a remote device. A Windows Hello PIN can be complex and use a combination of letters, numbers, and special characters. A Windows Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to the TPM, therefore PINs are considered more secure than local passwords.
Users Windows Hello PIN do not expire by default.
You can specify the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730.
References:
Windows Hello for Business policy settings
Learn about the policy settings to configure Configure Windows Hello for Business.
learn.microsoft.com
Configure Windows Hello - Microsoft Support
Learn how to sign into your PC with Windows Hello using a PIN, facial recognition, or fingerprint.
support.microsoft.com
You must be signed in as an administrator to enable or disable Windows Hello PIN expiration.
Contents
- Option One: Enable or Disable Windows Hello PIN Expiration in Local Group Policy Editor
- Option Two: Enable or Disable Windows Hello PIN Expiration in Registry Editor
EXAMPLE: PIN expired "Your organization requires that you change your PIN"
The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.
All editions can use Option Two below.
1 Open the Local Group Policy Editor (gpedit.msc).
2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below step 3)
Computer Configuration > Administrative Templates > System > PIN Complexity
3 In the right pane of PIN Complexity, double click/tap on the Expiration policy to edit it. (see screenshot below)
4 Do step 5 (enable) or step 6 (disable) below for what you would like to do.
5 Enable Windows Hello PIN Expiration
A) Select (dot) Enabled. (see screenshot below)
B) Under "Options", enter a number between 1 and 730 days for the PIN Expiration you want.
C) Click/tap on OK, and go to step 7 below.
6 Disable Windows Hello PIN Expiration
This is the default setting.
A) Select (dot) Not Configured. (see screenshot below)
B) Click/tap on OK, and go to step 7 below.
7 Close the Local Group Policy Editor.
8 Restart the computer to apply.
1 Open Registry Editor (regedit.exe).
2 Do step 3 (enable) or step 4 (disable) below for what you would like to do.
3 Enable Windows Hello PIN Expiration
A) Navigate to the key below in the left pane of Registry Editor. (see screenshot below step 3B)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity
If you do not have the PassportForWork key, then right click or press and hold on the Microsoft key, click/tap on New, click/tap on Key, type PassportForWork, and press Enter.
If you do not have the PINComplexity key, then right click or press and hold on the PassportForWork key, click/tap on New, click/tap on Key, type PINComplexity, and press Enter.
B) In the right pane of the PINComplexity key, double click/tap on the Expiration DWORD to modify it. (see screenshot below)
If you do not have a Expiration DWORD, then right click or press and hold on an empty area in the right pane of the PINComplexity key, click/tap on New, click/tap on DWORD (32-bit) Value, type Expiration, and press Enter.
C) Select (dot) Decimal, enter a number between 1 to 730 days for the PIN expiration you want, click/tap on OK, and go to step 5 below. (see screenshot below)
4 Disable Windows Hello PIN Expiration
This is the default setting.
A) Navigate to the key below in the left pane of Registry Editor. (see screenshot below step 4B)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity
B) In the right pane of the PINComplexity key, right click on the Expiration DWORD, and click/tap on Delete. (see screenshot below)
C) Click/tap on Yes to confirm, and go to step 5 below. (see screenshot below)
5 Close Registry Editor.
6 Restart the computer to apply.
That's it,
Shawn Brink
Last edited:
