How To Manage Windows 10 PIN Complexity Settings

Users can sign in to their user accounts created on Windows, whether a Local or a Microsoft account, through their Personal Identification Number (PIN), as opposed to entering their entire lengthy passwords. This sign-in method has long been a part of Windows Hello in Windows 10.

The default state of the PIN is for simple numerical characters between 4 and 127. However, this can be changed to keep the quick sign-in option while increasing the security of your computer.

How to configure Windows Hello PIN

Before we begin to manage the characteristics of the PIN, let us show you how you can create a sign-in PIN for your account on Windows 10. Often users prefer creating this right after a fresh installation, as it is more convenient to sign in to their accounts. Plus, a PIN is much easier to remember.

Follow the steps below to configure a PIN sign-on:

  1. Navigate to the following:
    Start Menu -> Settings -> Accounts -> Sign-in options
  2. Click on Windows Hello PIN under Sign-in Options.
    signin options
  3. Then click on Add.
    add 1
  4. You will then be asked to provide the account password for authentication. Enter the password and click Ok.
    provide password
  5. Now enter and confirm the new PIN you wish to set. You may also check the box next to Include letters and symbols to make the PIN alpha-numeric. Click Ok when done.
    enter new pin

You have now successfully configured the Windows PIN Sign-on. If at any point you want to change or remove the PIN, simply navigate back to the Sign-in Options page and click on either option.
change or remove

How to manage Windows Hello PIN

When configuring the Windows Hello PIN in Windows 10, a user is presented with minimal options to change. For example, all the options they have are the lengths of the PIN, and whether to make it alpha-numeric.

However, using the Group Policy Editor in Windows 10, you can change the requirements for which an essential PIN should be.

Windows 10 Home edition users will need to download and install the Group Policy Editor as gpedit.msc is not available by default.

There are several options you can configure from the Group Policy Editor to manage your PIN requirements. Continue reading to learn more about how you can do so.

First, open the Group Policy Editor by typing in gpedit.msc in Run, then navigate to the following from the left pane:
Computer Configuration -> Administrative Templates -> System -> PIN Complexity

You are then presented with a number of options to configure.
configurable options

Let’s cover each option one by one so you understand what they are used for and how to configure them.

Require digits

Enabling this option makes it mandatory for the user to use at least one digit in the PIN. Previously, by checking the box next to Include letters and symbols, users could create a PIN entirely out of alphabets. A sysadmin can make sure users insert a number into their PIN to make it more secure.

  1. To enable this option, double-click on Require digits and then select Enabled.
    require digits enabled
    Then click Apply and Ok.
  2. To make the changes take effect, type in the following command in the Command Prompt:
    gpupdate /force
    cmd gpupdate force 1

Require lowercase letters

As the title depicts, this option lets the users ensure that there is at least one lowercase letter in the PIN that is created. You can enable this by following the exact guide given above for Require digits.

Maximum PIN length

By enabling this option, you can set the maximum length of the characters that can be used by a user in a PIN. However, the range must be between 4 and 127, as permitted by Windows.

If you enter a number below 4, the following error is given:
less than 2 1

Similarly, entering a number above 127 will result in the following:
less than 2

  1. To enable this option, double-click on Maximum PIN length and then select Enabled.
  2. Now enter the number of maximum characters you want to allow below, and then click Apply and Ok.
    max length
  3. To make the changes take effect, type in the following command in the Command Prompt:
    gpupdate /force
    cmd gpupdate force 1

Minimum PIN length

This option sets the minimum character length to be allowed to users when setting their PIN. Setting this to a number greater than 4 would increase the security of the PIN by making it more complex.

  1. To enable this option, double-click on Minimum PIN length and then select Enabled.
  2. Now enter the number of minimum characters you want to allow below, and then click Apply and Ok.
    minimum length
  3. To make the changes take effect, type in the following command in the Command Prompt:
    gpupdate /force
    cmd gpupdate force 1

Expiration

By enabling the Expiration option, the administrator can set a limit on a PIN to last. Meaning, any configured PIN will expire after the said number of days, and the user will then be prompted to create a new PIN.

The value can be set in the number of days from 0 to 730 (2 years). By default, the value is 0, which means that the PIN never expires.

  1. To enable this option, double-click on Expiration and then select Enabled.
  2. Now enter the number of days you want to allow before the PIN expires, and then click Apply and Ok.
    expiration
  3. To make the changes take effect, type in the following command in the Command Prompt:
    gpupdate /force
    cmd gpupdate force 1

History

The History option, when enabled, does not allow the user to reuse the pre-set last number of PINs. Meaning, a user cannot use their old PIN again as their new PIN. The number of unusable past PINs can be configured from 1 to 50.

  1. To enable this option, double-click on History and then select Enabled.
  2. Now enter the number of past PINs you want to disallow, and then click Apply and Ok.
    history
  3. To make the changes take effect, type in the following command in the Command Prompt:
    gpupdate /force
    cmd gpupdate force 1

Require special characters

By enabling this option, users can be permitted to use special characters in their PINs. It would only make the PIN more secure by increasing its complexity level. Here is a list of the special characters that are allowed: ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ .

  1. To enable this option, double-click on Require special characters and then select Enabled.
    require special characters
  2. To make the changes take effect, type in the following command in the Command Prompt:
    gpupdate /force
    cmd gpupdate force 1

Require uppercase letters

Similar to Require lowercase characters, you can also configure user PINs to have uppercase characters as well. This will also increase the complexity of the PINs created.

  1. To enable this option, double-click on Require uppercase letters and then select Enabled.
    uppercase
  2. To make the changes take effect, type in the following command in the Command Prompt:
    gpupdate /force
    cmd gpupdate force 1

Closing words

Using these options from the Group Policy Editor individually might not be as effective as using them in a combination. For example, by making it mandatory for a PIN to have both upper and lowercase alphabets, as well as special characters and numerical characters, the PIN would become really complex to decode through social engineering.

However, a PIN should not be so complex that it cannot be differentiated from a regular password, as the main purpose of the Windows Hello PIN is to make it easier for the people to log in to their accounts.

Join 6000+ other users and have new posts emailed to you

Discover new tech tips and troubleshooting guides as soon as they are published

Leave a Comment