The Ultimate Guide to Windows Hello for Business

  • Resources
  • The Ultimate Guide to Windows Hello for Business

Table of Contents

Employees forget passwords all the time. It’s part of daily life for busy professionals.

What happens when they can’t log in?

They reset their password, either by calling IT (and costing the company up to $70) or by handling it on their device. Most of the time, they pick something easier to remember, hoping to avoid the hassle of changing passwords again.

Then they get back to work, oblivious to the risk they are putting their organization at with their easy-to-crack password.

It’s no surprise that 81% of company data breaches are caused by poor passwords.

So what can you do to protect your company and thwart password-related security nightmares, aside from educating your workforce?

You can turn to Windows Hello for Business and replace passwords with robust two-factor authentication on Windows 10 and 11 devices.

But first, let’s find out what is Windows Hello for Business.

What is Windows Hello for Business?

Windows Hello for Business replaces passwords with strong authentication for domain-joined physical Windows desktops and laptops. Windows Hello for Business is a more secure version of Windows Hello, which many individual and home users are familiar with.

Windows Hello uses facial recognition or fingerprint matching to provide fully integrated biometric authentication. It uses a combination of infrared (IR) cameras and software to enhance accuracy and thwart spoofing attempts.

Why is a PIN better than a password?

Windows Hello in Windows 10 allows users to sign in to their device using a PIN.

On the face of it, a PIN can also be a bunch of numbers and alphabets similar to a password.

So why is a PIN better than a password?

PIN is tied to the device: Unlike an online password, a Hello PIN is tied to a specific device. So, if someone steals your PIN, they would also have to snitch your physical device to sign in to your account.

PIN is local to the device: A PIN is not stored on the server. When you create a PIN on your device, it forms a trusted relationship with the identity provider (in this case, you) by creating an asymmetric key pair. Each time you enter your PIN, the authentication key is unlocked, and the key is used to sign the request via the authentication server.

PIN has hardware support: The Hello PIN has another layer of hardware security in the form of a chip called Trusted Platform Module (TPM), which has several physical security mechanisms that make it resistant to tampering.

Windows Hello vs Windows Hello for Business

windows hello for business

Windows Hello is basically for individuals and home users. For enterprises, Microsoft offers a more relevant solution called Windows for Business. Teams of all sizes can benefit from Windows for Business, which provides increased efficiency, security, and integration.  

Here are the differences between Windows Hello for Business vs Windows Hello:

  Windows Hello Windows Hello for Business
Sign-in Individuals can create PIN or biometric gestures on their own devices for sign-in Configured through Group Policy, or mobile device management (MDM)
Authentication This configuration is referred to as Windows Hello convenience PIN. It’s not backed by asymmetric or certificate-based authentication. Windows Hello for Business always uses key-based or certificate-based authentication.
Security  Windows Hello reduces the possibility of keyloggers, or password phishing, but the login process may still use your password hash. It’s significantly more secure than Windows Hello

Windows Hello for Business Setup

Microsoft has two main methods to set up Windows Hello for Business: Cert-Trust and Key-Trust.

We are going to look at the Key-Trust (or the Hybrid Key Trust) Windows Hello for Business setup method here.

Follow the instructions below to set up Windows Hello for Business step by step.

Prerequisites

Hybrid environments are distributed systems that allow organizations to use on-prem and Azure-based identities and resources.

In Windows Hello for Business, the existing distribution system is a foundation that enables organizations to provide two-factor authentication for a single sign-in. These technologies were built on distributed systems that involved multiple pieces of on-prem and cloud infrastructure, including:

  1. Directories
  2. Public Key Infrastructure
  3. Directory Synchronization
  4. Federation
  5. Multifactor authentication
  6. Device Registration

To deploy Hybrid Key Trust, your organization has to register its domain joined devices to the Azure Active Directory.

To initiate Windows Hello for Business provisioning, allow access to the URL account.microsoft.com. This launches the next steps in the provisioning process and helps complete the process.

New Installation

You need to check if the following distributed technologies that need to be configured exist in your current infrastructure:

  1. Active Directory
  2. Public Key Infrastructure
  3. Azure Active Directory
  4. Multifactor Authentication Services

To deploy a simple public key infrastructure suitable for a lab environment, use Enterprise Admin equivalent credentials to sign in on Windows Server 2012 (or a later server) where the certificate authority will be installed.

  1. Open an elevated Windows PowerShell prompt
  2. Use the following command to install the Active Directory Certificate Services role

add-windowsfeature adcs-cert-authority -IncludeManagementTools

  1. Use the following command to configure Certificate Authority using a basic certificate authority configuration

Install-AdcsCertificationAuthority

Next, create an Azure AD tenant process for provisioning an Azure tenant for your organization.

After configuring your Azure MFA settings, review how to require two-step verification for a user.

Configure Directory Synchronization

configure directory synchronization

Hybrid Windows Hello for Business deployment requires both a cloud and an on-prem identity to authenticate and access resources.

Synchronize the on-prem Active Directory with Azure Active Directory. First, review the Integrating on-prem directories with Azure Active Directory and hardware and prerequisites. Then download the software.

If the user principal name (UPN) in your on-prem Active Directory is different from the UPN in Azure AD, take the following steps:

  • Configure Azure AD Connect to sync the user’s on-prem UPN to the

onPremisesUserPrincipalName attribute in Azure AD.

  • Add domain name of on-prem UPN as a verified domain in Azure AD. 

In the Select your scenario based on your identity infrastructure section, identify your configuration (Managed environment or Federated environment) and perform steps applicable to your environment.

The configuration for Windows Hello for Business is grouped in the following four categories:

  1. Active Directory
  2. Azure AD Connect
  3. Public Key Infrastructure
  4. Group Policy

Provisioning

Provisioning begins immediately after the user signs in and after the user profile gets loaded, but before the user receives their desktop.  

Applications and Services Logs

source

Validate if the computer has processed device registration. A ‘Yes’ will appear in the User device registration logs where the check Device is Azure Active Directory-joined (AADJ or DJ++).

Windows Hello for Business provisioning starts with a full-screen page. Click Set up a PIN.

setupapin

source

The provisioning flow proceeds to Multi-Factor authentication. Provisioning informs the user that it is actively attempting to contact them through their configured form of Windows Hello for Business MFA. The provisioning process won’t move forward until authentication succeeds, fails, or times out.

A failed or timeout MFA leads to an error, and the user is asked to retry.

mfa

Source

After a successful MFA, the provisioning flow asks the user to create and validate a PIN that meets the environment’s complexity requirements.

create a pin

source

Windows Hello for Business requests an asymmetric key pair for the user. Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.

When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign in.

Windows Hello for Business – Costs

Before we come to the Windows Hello for Business cost, it’s worth noting that Windows Hello for Business is part of the Azure Active Directory (Azure AD), which, in turn, is now part of Microsoft Entra.

Let’s break this down.

Microsoft Entra was launched on 31 May 2022 and includes a suite of identity and access products, one of which is Azure AD.

Now, it might take a while to wrap one’s head around the full scope and scale of Microsoft Entra, considering it’s a recently launched group of packaged Microsoft products, but Azure AD has been around for some years.

As far as Windows Hello for Business is concerned, you can access it if you have Azure AD.

Azure AD is available in four editions:

  1. Azure AD Free
  2. Office 365
  3. Azure AD Premium P1
  4. Azure AD Premium P2

Azure AD pricing

source

As is clear from the above graphic, all four editions of Azure AD include Windows Hello for Business.

So, if you want to avail the benefits of Windows Hello for Business, you can even do that for no cost. But you’ll have to figure out if your organization needs to leverage the benefits that come with Azure AD Premium P1 and Azure AD Premium P2, both of which have a monthly user per cost.

Windows Hello for Business Deployment Guide

To deploy Windows Hello for Business, find out which deployment method is suitable for your organization. You can determine this by using the Passwordless Wizard in the Microsoft 365 admin center or the Planning a Windows Hello for Business Deployment guide. You now have all the information you need to deploy Windows Hello for Business.

Certain baseline infrastructure is needed for the deployment, both on-premises, and hybrid. The minimum requirements are:

  1. A well-connected, functioning network
  2. Internet access
  3. Multi-factor Authentication during provisioning
  4. Proper name resolution
  5. Active Directory and an adequate number of domain controllers
  6. Active Directory Certificate Services 2012 or later
  7. Workstation computers running Windows 10, version 1703 or later
  8. Ensure the appropriate server operating system is installed with the latest patches and joined to the domain if you are installing a server role for the first time

Deployment and trust models

Windows Hello for Business has three deployment modelsL

  • Azure AD cloud only
  • hybrid
  • on-premises

Hybrid has three trust models:

  • Key trust
  • certificate trust
  • and cloud trust

On-premises deployment models only support certificate trust and Key trust.

Hybrid deployments are for organizations that use Azure AD. On-premises deployments are for organizations that exclusively use on-premises Active Directory.

For environments using Azure AD, it is mandatory to use hybrid deployment models for all domains in that domain forest.

The type of trust model determines how users will authenticate to the on-prem Active Directory:

Type of Model Description
Key trust
  • For enterprises that don’t want to issue end-entity certificates to users and have an adequate number of 2016 domain controllers in each site to support authentication
  • Requires Active Directory Certificate Services
Cloud-trust
  • Hybrid enterprises that don’t want to issue end-entity certificates to users and have an adequate number of 2016 domain controllers in each site to support authentication
  • Simpler to deploy than key trust and does not require Active Directory Certificate Services
Certificate-trust
  • For enterprises that do want to issue end-entity certificates to users and have benefits of certificate expiration and renewal
  • Supports enterprises that are not ready to deploy Windows Server 2016 Domain Controllers

Windows Hello for Business – Licensing

software licensing

Windows Hello for Business usually does not come as a stand-alone licensing solution. Your organization can access it through Azure AD.

As we’ve seen above, Azure AD comes in 4 editions: Azure AD Free, Office 365, Azure AD Premium P1, and Azure AD Premium P2. Of these, the first two are free of charge. All four editions of Azure AD have Windows Hello for Business.

  • Azure AD Premium P1 costs US$6 /user/month
  • Azure AD Premium P2 costs $9 /user/month
Amaxra CTA  2
Need Help with Microsoft Licensing?
Leave your Microsoft licensing, security, and software solutions to us so you can concentrate on moving your business forward.

Windows Hello for Business – Authentication Methods

As we’ve seen earlier, Windows Hello is meant for consumers and home users, while Windows Hello for Business is an enterprise version which is slowly but surely taking the business world towards a passwordless future.

In general, there are 4 Windows Hello for Business authentication methods.

Windows Hello uses three methods:

  • PIN
  • Facial recognition (Biometric)
  • Fingerprint (Biometric)

Windows Hello for Business takes this a step further by using a PIN code backed by an asymmetric pair of keys or certificate-based authentication.

Let’s look at the key features of each:

PIN

  • A Microsoft Windows Hello Login Personal Identification Number or PIN is an easy-to-remember code and usually has four digits (though some organizations allow other combinations).
  • If someone knows your PIN, they can get access to only that specific computer. The PIN cannot unlock your Microsoft account on any other computer.
  • The PIN is necessary before setting up biometrics and is backed by the Trusted Platform Module (TPM) chip.

Facial recognition

  • Windows Hello facial authentication uses a specially configured camera to authenticate and unlock Windows 10 devices and unlock your Microsoft Passport.
  • Enterprise-grade authentication plus access to Microsoft Passport Pro supported content is provided.
  • Provides a consistent image (using InfraRed) in different lighting conditions, also allowing for subtle changes in appearance.

Fingerprint

  • If your laptop has a fingerprint reader, it is typically located below the right side of the keyboard or next to the display.
  • Fingerprint authentication is attractive because of its simplicity. You just have to press your finger on the reader to access your system.
  • Since your fingerprints are unique to you, it’s a secure way to log in to your computer.

Key or certificate-based authentication

  • Windows Hello for Business credentials are based on a certificate or asymmetrical key pair and can be bound to the device.
  • Identity providers (such as Azure AD) validate user identity and map the Windows Hello public key to a user account during registration. Keys may be generated in hardware or software
  • Authentication is the two-factor authentication, a combination of a key or certificate tied to a device and PIN or biometrics. The Windows Hello gesture is not shared with the server and does not roam between devices.

Windows Hello for Business FAQs

“What is Windows Hello for Business used for?”

Windows Hello is the most widely known biometric authentication scheme supported by Windows. It enables Windows 10 users who have devices with fingerprint readers or special cameras to log in through fingerprint or facial recognition. Windows Hello for Business is part of the Microsoft passwordless strategy. More and more companies see the value in setting up Windows Hello for Business.

“Is Windows Hello for Business considered MFA?”

The Windows Hello for Business key meets the multi-factor authentication (MFA) requirements for Azure AD. It reduces the number of MFA prompts that users see when accessing resources.

“Does Windows Hello for Business require Azure AD?”

Device registration is a prerequisite for cloud and hybrid Windows Hello for Business deployments. A user won’t be able to provision Windows Hello for Business till the device from which they are attempting to provision has registered with Azure AD.

“Does Windows Hello for Business require Intune?”

Windows Hello for Business can be configured using Group Policy or an MDM like Microsoft Intune, which is a cloud-based service focused on mobile device management (MDM) and mobile application management (MAM).

“What is Windows Hello and do I need it?”

Windows Hello is a way to sign in to your Windows 10 device. It is more secure than a password as it uses biometric authentication. You can sign in via facial or fingerprint recognition. You don’t have to use Windows Hello on your Windows 10, but this is the future of accessing computers and devices.

Conclusion

windows hello for business

You now know what Windows Hello for Business is, how it will help your organization, how to enable Windows Hello for Business, and its licensing mechanism.

But Windows Hello for Business is not just a new and smart way to authenticate identities and enhance security. It is, in fact, a powerful agent of change that is taking enterprises and organizations away from the somewhat problematic past of passwords to a more secure future.

No wonder 92% of businesses believe going passwordless is the future.

But change, even change for the better, can be anxiety-inducing. That’s where Amaxra comes in. Our experts will ensure that you get the best possible guidance on Windows Hello for Business customized to your organization’s specific needs.

So, get in touch with us today and get secured!

Amaxra Contact Us CTA_1
Get Started Today

We'll build a secure and complete Microsoft software solution for your business while you concentrate on what's important.