How to set up Windows Hello
Why this matters
Your Microsoft account password is the same string an attacker can phish, brute-force, or find in a breach. The Windows Hello PIN is different: it’s a short number that only works on this specific device, and the cryptographic key it unlocks is stored in the TPM chip — a hardware module that wipes itself after too many wrong tries.
A Windows Hello PIN paired with biometric unlock (face or fingerprint) is more secure than a long password, dramatically faster to use, and immune to remote attack — an attacker on the other side of the internet has no way to use it.
How to do it
- Open Settings → Accounts → Sign-in options.
- Click Windows Hello PIN → Set up. Choose a 6+ digit PIN that’s not a date or sequence.
- If your laptop has a fingerprint reader or IR camera, set up Fingerprint recognition or Facial recognition too.
- Turn on For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device — this disables falling back to the password locally.
- Test by signing out and signing back in with each method you enabled.
What you don’t need
You don’t need to disable your Microsoft account password — keep it for account recovery and remote sign-in to Microsoft services. Windows Hello is the local sign-in, separate from your account password.
Sign out of Windows and confirm you can sign back in with your face, fingerprint, or Windows Hello PIN.
Want a personalized plan that fits your devices, habits, and concerns?
Start the 90-second assessment