Enabling PIN Complexity Group Policy can force your users to create a complex PIN that uses digits, lowercase, uppercase, and special characters to sign into Windows 11/10 or Windows Server.
To create a PIN for signing into Windows 11/10, you have to open Settings > Accounts > Sign-in options. Here, under PIN, you will see a Create or Add button to create a new PIN, or you will see a Change or Remove button to change the PIN or remove it. You can enforce a policy where your users are required to create a strong, complex PIN to sign in. Let us see how to do this.
Read: PIN vs Password in Windows – Which offers better security?
Enable PIN Complexity Group Policy in Windows
To configure this policy, your version of Windows must ship with the Group Policy Editor. The Group Policy Editor is available in Windows 11/10 Pro, Enterprise, and Education editions only, not in Windows 11/10 Home.
Run gpedit.msc to open the Local Group Policy Editor and navigate to the following setting:
Computer Configuration > Administrative Templates > System > PIN Complexity
Here, you will see the following available settings:
- Require digits: Use this policy setting to configure the use of digits in the PIN.
- Require lowercase letters: Use this policy setting to configure lowercase letters in the PIN.
- Maximum PIN length: The most significant number you can configure for this policy setting is 127
- Minimum PIN length: The lowest number you can configure for this policy setting is 4
- Expiration: This setting specifies the period (in days) that a PIN can be used before the system requires the user to change it.
- History: This setting specifies the number of past PINs that can be associated with a user account and cannot be reused.
- Require special characters: Use this policy setting to configure the use of special characters in the PIN.
- Require uppercase letters: Use this policy setting to configure the use of uppercase letters in the PIN.
Double-clicking on each of these settings will open up the configuration box for this setting – and the options & details are as follows-
| Require digits | Not configured: Users must include a digit in their PIN.Enabled: Users must include a digit in their PIN.Disabled: Users cannot use digits in their PIN. |
| Require lowercase letters | Not configured: Users cannot use lowercase letters in their PIN.Enabled: Users must include at least one lowercase letter in their PIN.Disabled: Users cannot use lowercase letters in their PIN. |
| Maximum PIN length | Not configured: PIN length must be less than or equal to 127.Enabled: PIN length must be less than or equal to the number you specify.Disabled: PIN length must be less than or equal to 127. |
| Minimum PIN length | Not configured: PIN length must be greater than or equal to 4.Enabled: PIN length must be greater than or equal to the specified number.Disabled: PIN length must be greater than or equal to 4. |
| Expiration | Not configured: PIN does not expire.Enabled: PIN can be set to expire after any number of days between1 and 730, or PIN can be set to never expire by setting policy to 0.Disabled: PIN does not expire. |
| History | Not configured: Previous PINs are not stored.Enabled: Specify the number of previous PINs that can be associated to auser account that can’t be reused.Disabled: Previous PINs are not stored. |
| Require special characters | Not configured: Users cannot include a special character in their PIN.Enabled: Users must include at least one special character in their PIN.Disabled: Users cannot include a special character in their PIN. |
| Require uppercase letters | Not configured: Users cannot include an uppercase letter in their PIN.Enabled: Users must include at least one uppercase letter in their PIN.Disabled: Users cannot include an uppercase letter in their PIN. |
Go through the options carefully before you enable them.
As an example, let us say we want that users should use special characters in their PIN. In this case, you must double-click Require special characters to open its configuration box.
Select Enabled and click on Apply.
Use this policy setting to configure the use of special characters in the PIN. Allowable special characters are: ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ . If you enable this policy setting, Windows Hello for Business requires users to include at least one special character in their PIN. If you disable or do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.
Once you enable these policies, your users will be required to change the PIN, and depending on the policies you have set, they will see the PIN requirements you may have set.
I hope this helps.
Read: PIN does not work and will not let you sign in to Windows.
What is the PIN length of Windows Hello Group Policy?
The PIN must be at least 4 characters but it can’t be longer than 127 characters. Th later defeats the purp[ose of PIN, but then Microsoft allows to makeit even more complex by inclusion option of special character and so on.
Why can’t i remove Windows PIN?
The ‘Remove’ button may appear greyed out if the passwordless sign-in option is activated on the Windows account, or if the passwordless feature is turned on in your Microsoft account.
