Policy
Use a hardware security device
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT
A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it cannot be used on other devices. If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude security devices, which prevents Windows Hello for Business provisioning from using those devices. If you disable or do not configure this policy setting, the TPM is still preferred, but all devices may provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
| Computer | Path SOFTWARE\Policies\Microsoft\PassportForWork Value name RequireSecurityDevice | REG_DWORD | HKLM 1 | HKLM 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | TPM 1.2 ID MSPassport_ExcludeTPM12DataType | boolean | Path SOFTWARE\Policies\Microsoft\PassportForWork\ExcludeSecurityDevices Value name TPM12 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |