Use a hardware security device

A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it cannot be used on other devices.

If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude security devices, which prevents Windows Hello for Business provisioning from using those devices.

If you disable or do not configure this policy setting, the TPM is still preferred, but all devices may provision Windows Hello for Business using software if the TPM is non-functional or unavailable.

Supported on: At least Windows 10 Server or Windows 10
Registry PathSOFTWARE\Policies\Microsoft\PassportForWork
Value NameRequireSecurityDevice
Enabled Value1
Disabled Value0

Do not use the following security devices:

TPM 1.2
Registry PathSOFTWARE\Policies\Microsoft\PassportForWork\ExcludeSecurityDevices
Value NameTPM12
Default Value0
True Value1
False Value0


Administrative Templates (Computers)

Administrative Templates (Users)