Policy

Use a hardware security device

Windows 11 25H2

Back to categoryOpen picker

Policy overview

Key metadata and intent for this policy.

ClassComputer
CategoryWindows Components > Windows Hello for Business
Supported onAt least Windows 10

Supported OS tags: Windows10, Windows10RT

A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it cannot be used on other devices. If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude security devices, which prevents Windows Hello for Business provisioning from using those devices. If you disable or do not configure this policy setting, the TPM is still preferred, but all devices may provision Windows Hello for Business using software if the TPM is non-functional or unavailable.

Internal name
MSPassport_RequireSecurityDevice
Policy ID
bdd868053c63
Elements
1

Registry values

How enabled and disabled states update the registry.

Registry locationTypeEnabled valueDisabled value
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\RequireSecurityDeviceREG_DWORD
1
0

Policy elements

Inputs and configuration options exposed by this policy.

ElementTypeRegistry mappingConstraints & behavior
TPM 1.2
ID MSPassport_ExcludeTPM12DataType
boolean
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\ExcludeSecurityDevices\TPM12
Type REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0

Other policies in this category

Explore related policies at the same level.

View all policies in this category