User Setup
New Users: When first logging in after the Windows Hello for Business policies have been applied, it will prompt you to set up a PIN. Once you are logged in, if you would like to change your sign-in method, you can go to Start -> Settings -> Accounts -> Sign-in options.
Current Users: During Windows log-on, the last successful login method is the one that is displayed by default. To switch to a different method, click on Sign-in Options instead and choose your preferred method.
PIN (Windows Hello)
A PIN is not a simple password but is a per-device "password" that utilizes a different background method for verification. The key point is the per-device part that makes it MFA-compliant- a user with two devices will have a separate PIN for each device (even if the same) where changing one does not affect any others.
Since PINs can be forgotten, we also enable self-service PIN reset capability, allowing a user to reset their own lost device PIN in a reset process through Microsoft 365 after verifying two forms of Microsoft 365 MFA.
*** This does require the device to have internet access – PINs cannot be reset while offline ***
Facial Recognition (Windows Hello)
For devices with a compatible infrared webcam (Microsoft Surface), users can select Set up and go through Microsoft’s process of facial scan enrollment. For security, Microsoft will prompt to verify your PIN after clicking Set up. The process to reset facial recognition (if it isn’t reading your face properly) is to either select Improve recognition or Remove (and then Set up to restart the setup process).
Tips: lighting matters (daylight vs. laptop screen glow at night) and glasses for contact wearers (and other temporary facial adornments). Enrollment should include all situations, so they aren’t blocked later (forced to use a different login method).
Fingerprint Recognition (Windows Hello)
For devices with a compatible fingerprint reader (USB or built-in to laptops), users can select Add a finger to begin the finger enrollment process. For security, Microsoft will prompt to verify your PIN after clicking Add a finger. The process to reset fingerprints and clear all old fingerprints is to select Remove and then re-enroll from scratch.
Tips: make sure your fingers are clean and dry during enrollment because wet or dusty fingers won’t scan well and enroll multiple fingers – it is good to have a couple backup options when the original finger isn’t scanning properly.
Security Key
A security key, such as a YubiKey, is a one-way device that releases a secure code when pressing the touch-sensitive button or when read by an NFC reader, assuring that it is only used manually (no copy/paste). Enrolling a security key is fairly straightforward but will require adding a separate PIN to use in combination with the device.
The security key PIN is separate from the user login PIN and, like the user login PIN, also separate from PINs used on other computers.