PIN sign in is a convenient way to quickly authenticate yourself and log into your Windows 10 PC. However, IT administrators in charge of Windows Domains may want to control whether users can sign in with PIN on Windows 10 for security reasons.
This step-by-step guide demonstrates how to enable or disable PIN login for domain users in Windows 10 using Group Policy. It also explains the advantages and security implications of PIN sign in versus other Windows sign-in options and how to best manage how Windows domain users log in – in enterprise environments.
Windows 10 PIN authentication and Windows Hello for Business
Windows Hello for Business provides a number of convenient ways to sign in to a Windows domain without a password. This includes biometrics (using a face scan or fingerprint), and PIN authentication for Windows 10 domain users.
PINs provide a fast way to log in to a Windows device without having to enter a password each time. PINs are by default 4 digits, but can be more complex for increased security. Windows Hello authentication is configured per-device, and not stored with the user’s log-in information on the Windows Domain controller.
Somewhat counterintuitively, this can make PIN authentication more secure than password authentication (even if the PIN is shorter than the user’s password): when a PIN is used to log in, the user’s password is not entered (so it cannot be seen by anyone nearby or captured by keyloggers), nor is it transmitted to the domain controller. This way, if a PIN is compromised, only that device is affected — the password, and any accounts secured with it, remain private.
The data used for Windows Hello logins is strongly encrypted and stored securely using a hardware trusted platform module (TPM), so they are hard to crack and offer improved protection against brute-force attacks.
Reasons to enable or disable PIN sign-in for domain users
The advantages of enabling PIN authentication and Windows Hello for Windows 10 domain users include:
- Improved security: Windows Hello using biometric authentication or a PIN, backed by a hardware TPM, reduces the risk of passwords being stolen and used on other systems.
- User convenience: PINs are generally much shorter than passwords, and easier to remember, meaning that they can be changed and are much less likely to be forgotten.
- Multifactor authentication: Windows Hello, including the use of PINs, can be combined with other authentication methods supported by Active Directory or Windows Entra ID for enhanced, multifactor protection while still remaining convenient for users.
While technically Windows Hello offers both improved convenience and security over traditional password login, there are justified reasons why Windows domain administrators may choose to disable PIN login:
- Compliance: Regulations or internal policies may stipulate what methods users can use to log in, including password complexity which may prohibit PINs.
- Usability: Users accustomed to traditional login methods may struggle when multiple log-in options are provided, and prefer to have PIN login and other Windows Hello features disabled.
- Hardware support: While Windows Hello (including PIN authentication) does not require a TPM to generate and store encryption keys, system administrators may prefer to disable the feature if a TPM (and the enhanced encryption and security they provide) is not available in all the devices they are responsible for.
- Centralized control: A single password-based login method may be preferred by organizations who want to limit the number of login options they support to streamline troubleshooting.
Step-by-step instructions: How to enable or disable PIN sign-in for domain users
The following instructions detail how to enable or disable PIN login for domain users in Windows 10 using Group Policy in Active Directory. You will need to be logged in to an administrator account on the domain and have access to a domain controller with the Group Policy Management Console (GPMC). Additionally, you will need to be running Windows Server 2016 or later to use Windows Hello for Business.
To enable PIN sign-in Windows 10 for domain users, follow these steps:
- Make sure you’re logged in to a domain controller with an administrator account
- Right-click on the Start button and click Run
- Enter gpmc.msc to open the Group Policy Management Console
- Create a Group Policy Object (GPO) that targets the users, groups, or other organizational units (OUs) that you want to configure PIN login for
- Right-click on the newly created GPO and click Edit
- Navigate to Computer Configuration\Administrative Templates\System\Logon in the Group Policy Editor
- Right-click on the setting named Turn on convenience PIN sign-in and click Edit
- Select Enabled to enable PIN sign in for Windows 10 domain users, then click OK
- Restart the Windows PCs the group policy targets, or run gpupdate /force in the command prompt on each machine to ensure the change has taken effect
To disable PIN sign-in for domain users, follow the same steps but disable the relevant option:
- Once you have navigated to Computer Configuration\Administrative Templates\System\Logon in the Group Policy Editor, Right-click on the setting named Turn on convenience PIN sign-in and click Edit
- Select Disabled or Not Configured to turn off PIN sign in for Windows 10 domain users, then click OK
- Restart the Windows PCs the group policy targets, or run gpupdate /force in the command prompt on each machine to ensure the change has taken effect
If your changes to how your Windows domain users can sign in don’t take effect, make sure that you are targeting the right OUs and that there are no conflicting policies — the most restrictive policy will always take precedence in case of a conflict.
Use cases for PIN authentication in domain environments
Managing whether users can sign in with PIN to Windows 10 using group policy is a convenient way for administrators to centrally manage their users’ login options. The granular nature of Group Policy Objects means they can be assigned to OUs and only affect targeted users.
PIN sign in itself is convenient for users who share workstations and need to be able to log in and log out quickly, for example in enterprise or education environments. As PINs only work on the specific device they are configured on, they also offer protection against phishing: even if a user accidentally discloses their PIN, it cannot be used to access their account on the Windows Domain from another machine or remotely.
Windows Hello for Business authentication is also particularly useful in offline scenarios: As Windows Hello data is stored locally, users can authenticate even when they have no connection to the internet or their work VPN.
Comparison with other authentication methods
The authentication options provided by Windows Hello for Business are a security improvement over traditional passwords. Both PIN and biometric logins are device-specific, preventing their disclosure from compromising other parts of your IT infrastructure.
Biometrics offers increased security over PINs (where it is allowed to be used), as biometric credentials are incredibly hard to steal, and cannot be guessed or brute-forced.
Manage security configurations with ease
Managing whether users can sign in with PIN to Windows 10, is just one of the configuration options that you may want to deploy to a subset of domain users (e.g., to simplify login), or organization-wide (e.g., to meet regulatory requirements).
Windows domains greatly streamline the management of fleets of Windows devices and the people who use them. However, in enterprise-scale deployments with hundreds or thousands of devices, maintaining visibility and ensuring that each device is secure while addressing users’ individual requirements is challenging. Additionally, while there are security advantages to using Windows Hello, the authentication methods available on a particular device do not guarantee its security.
An end-to-end mobile device management (MDM) solution from NinjaOne provides full oversight over all of your IT infrastructure. It allows you to manage security configurations, monitor for suspicious activity, and lock down lost, stolen, or compromised devices, protecting the data on them, even if their owner’s credentials have been compromised.