Policy
Use Windows Hello for Business
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. If you enable this policy, the device provisions Windows Hello for Business using keys or certificates for all users. If you disable this policy setting, the device does not provision Windows Hello for Business for any user. If you do not configure this policy setting, users can provision Windows Hello for Business as a convenience credential that encrypts their domain password. Select "Do not start Windows Hello provisioning after sign-in" when you use a third-party solution to provision Windows Hello for Business. If you select "Do not start Windows Hello provisioning after sign-in", Windows Hello for Business does not automatically start provisioning after the user has signed in. If you do not select "Do not start Windows Hello provisioning after sign-in", Windows Hello for Business automatically starts provisioning after the user has signed in.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
Path SOFTWARE\Policies\Microsoft\PassportForWork Value name Enabled | REG_DWORD | HKLM 1 HKCU 1 | HKLM 0 HKCU 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
Do not start Windows Hello provisioning after sign-in ID MSPassport_DisablePostLogonProvisioning | boolean | Path SOFTWARE\Policies\Microsoft\PassportForWork Value name DisablePostLogonProvisioning Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |