Windows 10 provides a few different ways for users to login, like using the regular password, Windows Hello, PIN, etc. The PIN login, which was first introduced in Windows 8, makes it very easy to log into your user account. The PIN authentication makes it easy and secure because you don’t have to enter your actual password (usually, Microsoft account password) each and every time you unlock or turn on your system. Thus, even if your PIN is compromised, your other devices which use the same Microsoft account won’t get compromised.
That being said, you may not be comfortable protecting your system with a simple PIN that just uses numbers. Thankfully, Windows lets you add complex requirements to the login PIN, like minimum length, special characters, letters, etc., to improve its effectiveness. Here’s how to enable PIN complexity in Windows 10.
Enable the PIN Complexity in Windows 10
You can easily enable PIN complexity in Windows 10 using the Group Policy Editor. To start, press “Win + R,” type gpedit.msc and press the Enter button.
The above action will open the Group Policy Editor. Here, navigate to “Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business -> PIN Complexity.”
Once there, you will see a set of policies on the right panel. You can enable each policy individually to set PIN complexity. Here’s what each policy means.
- Require Digits: Forces users to have digits in their PIN
- Require Lowercase Letters: Forces users to have at least one lowercase letter in their PIN
- Minimum PIN Length: With this policy you can force users to have their PIN meet the minimum length set by you
- Maximum PIN Length: Just like the minimum length, you can set maximum length using this policy. By default, the maximum length is 127 characters
- Expiration: This policy lets you set the number of days before the PIN expires and forces users to create a new PIN
- History: Using this policy you can force users to not set previously used PINs
- Require Special Characters: Forces users to have at least one special character in their PIN. The special characters are ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
- Require Uppercase Letters: As you can tell from the name, this policy requires users to have at least one uppercase letter in their PIN.
To set a policy, all you have to do is double-click on the policy and then select the option “Enabled.”
For instance, to enforce the minimum length rule, double-click on the “Minimum PIN Length” policy, select the “Enabled” radio button, set the minimum length in the Options field and then click on the “Ok” button to save the changes.
As I said before, you can enable each and every policy individually. Enable the policies you think better suit your environment. For instance, I’ve enabled the minimum length, expiration, and special character policies.
Once you are done setting up the PIN complexity, restart your system or use the below command as an administrator to make the changes take effect.
gpupdate.exe /forceAfter the changes take effect, the rules are enforced, and whenever a user tries to set their PIN, Windows will let them know all the available rules and will enforce the rules set by you.
Enable the PIN Complexity Using Registry
If you are using the home version of Windows 10, then you won’t have access to the Group Policy Editor. In that case you can use the Windows Registry Editor.
To get started, press “Win + R,” type regedit and press the Enter button.
After opening the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexityNote: if you cannot find the “PINComplexity” key, then create one. Just right-click on the “PassportForWork” key, and select the option “New -> Key.”
Just like when you are using the Group Policy Editor, you need to create separate DWORD values for each policy. For instance, if you want to enforce the special character policy, you need to right-click on the right panel, and then select the option “New -> DWORD Value.”
Name the key as “SpecialCharacters.”
After naming the key, double-click on it, enter the “Value Data” as “1” and then click on the “OK” button to save the changes.
Below are the different DWORD value names that you should use when you are enforcing different PIN Complexity policies.
- Require Digits: Digits
- Require Lowercase Letters: LowercaseLetters
- Minimum PIN Length: MinimumPINLength
- Maximum PIN Length: Maximum PIN Length
- Expiration: Expiration
- History: History
- Require Special Characters: SpecialCharacters
- Require Uppercase Letters: UppercaseLetters
One thing to keep in mind while using the DWORD values Expiration, History, MinimumPINLength, and Maximum PIN Length is that you need to use the hexadecimal numbers as the Value Data. You can use this free tool to convert normal numbers to hexadecimal numbers.
Excluding the above-mentioned values, you can set the Value Data of all the other values to “1” to enable the policy and “0” to disable the policy.
Also, only create the DWORD values of the PIN complexity policies you want to enforce. For instance, if you don’t want to enforce the “Uppercase letters” in the PIN, then there is no need for you to create the “UppercaseLetters” DWORD value.
Do comment below sharing your thoughts and experiences about using the above methods to enable PIN complexity in Windows.
Hi,
I came across this while researching Windows Hello. In the example above it shows that you can use letters but they are not required. When I enable the uppercase or lowercase settings in the registry or the group policy it requires at least one of each. Would like to be able to have them allowed but not required at least for testing purposes now. Thank you.