Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, September 9, 2019 7:14 PM
Hi,
I received some requests to configure finger print authentication on Microsoft tablet devices.
Look like that we need to setup a PIN to be able to use fingerprints but since 1607 it's disabled by default for computers who are joined to a domain.
I know that I can easily enable convenience PINs via GPO but Microsoft said they will be deprecating convenience PINs :
docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq
New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
My questions:
1- Is it easy to migrate from Convenience Pins to Hello for Busniess?
I'm trying to understand the impact of configuring Convenience Pins to quickly answer the need and then migrate to Hello for Business if we are ready in a few months.
2- I know that Hello for Business is more secure than Convenience Pins but is there any detailed explanation of the difference?
If somebody sees the PIN and have the device, he can unlock it and access all resources for which user have appropriated access in both scenarios, no?
Thanks,
Jimmy
All replies (6)
Tuesday, September 10, 2019 6:16 AM ✅Answered
Hi Jimmy,
A Convenience PIN is very different to Windows Hello for Business because unlike the more secure option, it is merely a wrapper for the user’s domain password. When signing in with a Convenience PIN, the users password is cached and substituted by the local system.
Yeah, if somebody sees the PIN and have the device, he can unlock it and access all resources which just like you lost password and device.
No need to migrate, the convenience PIN is disabled by default since Windows 10 1607. We just need to deploy Windows hello for business with the link below.
Windows Hello for Business Deployment Guide
This guide says two deployment models of Windows Hello for Business: Hybrid for Azure Active Directory environment and On-premises for Active Directory environment.
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, September 11, 2019 9:11 AM ✅Answered
Hi Jimmy,
If you need more time to deploy Windows hello in the future, we could use convenience PIN instead.
For domain joined PC, we just need to deploy group policy "Computer Configuration\Administrative Templates\System\Logon\Turn on convenience PIN sign-in".
When you want to use Windows hello, just to disable this convenience PIN sign-in policy and deploy Windows hello on your side. I think it would be easy for you.
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, September 12, 2019 9:15 AM ✅Answered
Hi Jimmy,
We have not found or received any information about the exact data. So I think you could use convenience PIN in several near months.
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, September 10, 2019 9:17 PM
Hi Joy,
I know that we don't need to migrate as it's disabled now but my question is do I do mistake by enabling convicience Pin to quickly answer the need and then deploy Windows Hello for Business when I will have more time in a few months?
Is it easy to migrate?
Thanks,
Jimmy
Wednesday, September 11, 2019 10:44 AM
“Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.”
Is there any announcement regarding this date?
Thanks for your answers! Jimmy
Thursday, February 6, 2020 2:40 PM
Hello Jimmy,
We are in the same place. Management wants to use Windows Hello but I'm nervous about turning it on and then having to change everything to Business soon after that.
Have you been able to deploy Windows Hello for Business yet? If so, how was the migration from the Pin to certificate/server authentication?
Thanks,
Bradley