Windows Hello for Business

Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing.

It replaces passwords with strong authentication. The authentication consists of a user credential that is tied to a device and uses a PIN or biometric – face or fingerprint. It is available on devices enrolled to Windows 10, with a camera that supports Windows Hello.

The Windows Hello for Business settings allow you to use public key or certificate-based authentication beyond passwords. This setting configures the PIN policy and enforces the use of a PIN to unlock a Windows device.

You can easily change, configure and manage settings for Windows Hello use in the organization.

Easy Set up of Windows Hello for Business:


These settings are available in: User configuration and Computer Configuration under Policies > Administrative Templates > Windows Components > Windows Hello for Business.

Enable Windows Hello for Business:
In the navigation pane, expand Policies under User Configuration. Expand Administrative Templates > Windows Component, and select Windows Hello for Business. In the content pane, double-click Use Windows Hello for Business. Click Enable and click OK.

How Windows Hello for Business works?

  • Windows Hello is the most common and most widely known of the biometric authentication schemes that Windows supports. It provides devices a strict security open with fingerprint or special cameras log into Windows via fingerprint or facial recognition.
  • Windows Hello for Business uses (MDM) policies for management, enforcement, leverages key- and certificate-based authentication in most cloud-focused scenarios for maximum Security and protection.
  • Windows Hello protects Microsoft accounts and also domain accounts that are part of a corporate Active Directory deployment, domain accounts joined to an Azure Active Directory domain. In the future, accounts protected by federated identity providers that will support the Fast ID Online.
  • Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is biometrics.
  • Personal and corporate accounts use a single container for keys. All keys are separated by identity providers’ domains to help ensure user privacy.
  • Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.

Comparing key-based and certificate-based authentication:

Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business.


Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello.

Cloud trust uses key-based credentials for Windows Hello but does not require certificates on the domain controller. Windows Hello for Business with a key, including cloud trust, does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate.

You can set it up on devices with a fingerprint sensor, iris recognition, or facial recognition, or a secure PIN. Windows Hello ditches passwords of all types and replaces them with unique biometric information for authentication.

Benefits of Windows Hello:

Windows Hello replaces passwords and an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM).

Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account.

When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows to access resources and services.

Windows Hello helps protect user identities and user credentials. Because the user doesn’t enter a password it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.

Is Windows Business hello free?

You can deploy Windows Hello for Business using the Azure Active Directory free tier. After first tier it shows all the plans.

How many fingerprints can Windows Hello store?

“Windows Hello is very similar to Apple Face ID and to Google Android biometrics”. “All three provide on-device biometric authentication; this means that the facial or fingerprint data is encrypted and stored on the device and not on a server – which is hackable and therefore inherently insecure.