Deploying Windows Hello for Business internally here at Microsoft has significantly increased our security when our employees and vendors access our corporate resources. This feature offers a streamlined user sign-in experience—it replaces passwords with strong, phishing-resistant authentication by combining an enrolled device with a PIN or biometric user input for sign in.
Windows Hello was easy to implement within our existing identity infrastructure and is compatible for use within our remote access solution. We in Microsoft Digital, the company’s IT organization, streamlined the deployment of this feature as an enterprise credential to improve our user sign-in experience and to increase the security of accessing corporate resources.
Using this feature, users can authenticate to a Microsoft account, an Active Directory account, or a Microsoft Entra ID account (formerly known as a Microsoft Azure Active Directory account).
The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing.
Other benefits of this feature include:
- It supports our Zero Trust security model. Emphasizes an identity-driven security solution by centering on securing user identity with strong authentication as well as eliminating passwords.
- It uses existing infrastructure. We configured Windows Hello to support smart card-like scenarios by using a certificate-based deployment. Our security policies enforce secure access to corporate resources with phishing-resistant authentication, including smart cards and passkeys. Windows Hello biometric authentication is currently enabled, but optional for all users.
- It uses a PIN. Replace passwords with stronger authentication. Users can now sign in to a device using a PIN that is backed by a trusted platform module (TPM) chip.
- It provides easy certificate renewal. Certificate renewals automatically occur when a user signs in with their PIN before the lifetime threshold is reached.
- It permits a single sign-in. After users sign in with their PIN, they have access to email, SharePoint sites, Microsoft 365, and business applications without being asked for credentials again.
- It is compatible with remote access. When using Hello for Business, users can connect remotely using a Microsoft Digital VPN without the need for additional authentication.
- It supports Windows Hello. If users have compatible biometric hardware, they can set up biometrics sign-in to swipe their finger or take a quick look at the device camera. This is optional for all users.
Our deployment environment for the Windows Hello for Business feature includes:
- Server: Microsoft Entra ID subscription and Microsoft Entra Connect to extend on-premises directory to Entra ID
- For certificate enrollment: Active Directory Certificate Services (AD CS), Network Device Enrollment Service (NDES), and Microsoft Intune
- Client: Windows 10 or Windows 11 device with an initialized and owned TPM
For more information about integrating on-premises identities with Microsoft Entra ID, see What is hybrid identity with Microsoft Entra ID?
Enrollment and setup
Windows Hello for Business user enrollment steps vary, based on our deployed scenarios. For all scenarios, users will need to use another form of phishing-resistant authentication or a Temporary Access Pass to complete the enrollment.
The Windows Hello for Business feature supports the following enrollment scenarios:
- On-premises Active Directory hybrid domain–joined devices. Users sign in with their domain account, the device is registered with Entra ID and scoped for Intune management, Intune policies are delivered and then the user creates a PIN.
- Entra ID–joined devices managed by Microsoft Intune. Users must enroll in device management through Microsoft Intune. After their device is enrolled and the policies are applied, the PIN credential provisioning process begins, and users receive the prompt to create their PIN.
Requirements
- Phishing-resistant authentication is required for PIN creation using one of the existing methods: smart card, passkey, or TAP (Temporary Access Pass).
- A PIN that has at least six characters.
- A connection to the internet or Microsoft corporate network.
Physical architecture
Our Windows hybrid domain–joined devices were already synchronized with Entra ID through Microsoft Entra Connect, and we already had a public key infrastructure (PKI) in place. Already having a PKI reduced the amount of change required in our environment to enable the Windows Hello for Business feature.
To deploy user certificates based on Windows Hello keys, we used Intune, NDES, and AD CS.
Server roles and services
In our implementation, the following servers and roles worked together to enable Windows Hello as a corporate credential:
- Entra ID subscription with Microsoft Entra Device Registration Service to register devices with Entra ID.
- Intune is used to manage Hello for Business policies for all enrolled devices.
- PKI includes NDES servers (with Certificate Connector for Microsoft Intune) and certificate authorities (with smart card EKU—enhanced key usage—template), used for the issuance, renewal, and revocation of Windows Hello for Business certificates.
Hybrid domain–joined service workflow
The following workflow applies to any Windows 10 of Windows 11 computers joined to our AD DS domain.
- Our hybrid domain–joined devices are automatically registered with Entra ID via a group policy and enrolled in Intune management.
- Intune Policies—including Hello enablement, configuration, and NDES information—are delivered to the device.
- During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using phishing-resistant authentication, and create a PIN. A private key is created and registered in Entra ID. The user can also initiate the Windows Hello setup process from the Settings app at any time.
- On the next Intune sync, the device contacts the internet-facing NDES server using the URL from the Intune policy and provides the challenge response. The NDES server validates the challenge with the Certificate Connector for Microsoft Intune and receives a “true” or “false” to challenge verification.
- If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
- The NDES server delivers the certificate to the computer.
Entra ID–joined service workflow
- On device join, Intune pushes a device policy to Microsoft Entra ID devices that contains the Windows Hello for Business policies as well as the URL of the NDES server and the challenge generated by Intune.
- During the device join flow, the user is prompted to configure Hello for Business, confirm their identity using phishing-resistant authentication, and create a PIN. A private key is created and registered in Entra ID. The user can also initiate the Windows Hello setup process from the Settings app at any time.
- On the next Intune sync, the device contacts the internet-facing NDES server using the URL from the Intune policy and provides the challenge response. The NDES server validates the challenge with the Certificate Connector for Microsoft Intune and receives a “true” or “false” to challenge verification.
- If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
- The NDES server delivers the certificate to the computer.
Setting policies
Windows Hello for Business policies for both hybrid domain–joined and Entra ID–joined Windows 10 and Windows 11 devices are managed by Intune. We also use these policies to define the complexity and length of the PIN that our users generate at registration and to control whether Windows Hello was enabled.
We chose to enable Hello for Business with a hardware-required option, which means that keys are generated on the TPM. Additionally, we chose to issue a certificate to all Hello for Business credentials to enhance the usability of the credential throughout the corporate infrastructure.
Policy management
We set the Windows Hello for Business policy settings with Intune in two different places. First, setting them via the Tenant Policy ensures that the policies are delivered during the device-enrollment flow. The Tenant Settings can be found in Microsoft Intune Manager Admin Center under Devices > Windows > Windows Enrollment > Windows Hello for Business. However, Tenant Polices are only delivered one time on device join.
We also configure the settings using the Intune Settings Catalog to ensure that they are continuously enforced on all devices. This allows us to update the policies on devices that are already joined. In these policies, we have configured the following options:
- Enable Windows Hello for Business
- Require use of a Trusted Platform Module (TPM)
- Allow biometric authentication
- PIN complexity:
- Minimum length: 6 characters
- Allow uppercase letters
- Allow lowercase letters
- Allow special characters
For more details on these policy configuration options, check out our documentation page on the Microsoft Learn site.
To enable the Windows Hello for Business certificate issuance, configure the certificate profile (Assets & Compliance > Compliance Settings > Company Resource Access > Certificate Profiles). Select a template that has smart card sign-in extended key usage. Note that to set the minimum key size set, this certificate template should be configured in the Simple Certificate Enrollment Protocol (SCEP) Enrollment page; then you can use the Windows Hello for Business and Certificate Properties page to set the minimum key size set to 2048.
User enrollment experience
All Windows 10 and Windows 11 devices in the Microsoft environment receive the Windows Hello for Business policies from Intune. For hybrid domain–joined devices, these policies are delivered after device registration with the Entra ID tenant. For Entra ID–joined devices, the policies are delivered as part of the device join flow.
PIN creation
On hybrid domain–joined devices, the user is prompted to create their Hello for Business PIN when they unlock or log into the device after the policy settings are applied and the prerequisites, such as TPM availability and state, are met.
Entra ID–joined devices prompt the user to create their Hello for Business PIN during the device join workflow, assuming that the device meets all of the prerequisites.
Certificate enrollment process
After a PIN is successfully created, a certificate is automatically requested on behalf of the user during the next Intune policy sync operation.
Certificate renewal behavior
We have configured PIN credential certificates to have a lifetime of 90 days from when they are issued. Renewals will happen approximately 30 days before they expire. When a user enters their Windows Hello for Business PIN within the 30 days prior to its expiration, a new certificate will be automatically provisioned on their device.
Certificate renewal is governed by Intune policies. The system checks for certificate lifetime percentage and compares it against the renewal threshold. If it’s beyond the set threshold, a certificate renewal starts.
Service management
We manage identity as a service at Microsoft and are responsible for deciding when to bring in new types of credentials and when to phase out others. When we were considering adding the Windows Hello for Business feature, we had to figure out how to introduce the new credential to our users, and to explain to them why they should use it.
Measuring service health
We’re in the process of creating end-to-end signals to measure the service health of Windows Hello for Business. For now, we’re monitoring the performance and status of all our servers. We’re also expanding the service, so adoption and usage numbers are very important metrics that demonstrate the success of our service. We also track the number and types of help desk issues that we see.
We use custom reports created from certificate servers and custom service metrics to collect prerequisites, and key and certificate issuance times for troubleshooting. Detailed reports about other aspects of the service can also be generated from Intune.
We configure a user’s certificate to expire, and certificate renewals are issued with the same key. When necessary, the certificates can be revoked directly through Intune, which provides easier administration. Additionally, certificates are automatically revoked by the Intune service when a user or device is de-provisioned from the environment.
Here are some tips for getting started with Windows Hello for Business at your company:
- OEM BIOS initialization instructions and TPM lockout policies are OEM-specific. We performed steps to identify and document the potential issues for each hardware provider. We also communicated to our users that clearing a TPM will cause their private key to not work in Windows Hello for Business.
- Some of the common issues we saw with users creating their PINs could have been avoided with better communication. These issues include users not understanding the prerequisites, or the expected delays in onboarding scenarios. To help avoid this issue, we created a productivity guide to walk users through the steps.
- Windows Hello for Business relies on several underlying services: Entra ID, Intune, NDES, and AD CS. All of these services need to be healthy and available.
- Certificate issuance delays can be hard to troubleshoot, but monitoring the health and performance of the supporting services can help.
- Learn about verifying identity in a Zero Trust model internally at Microsoft.
- Read about phishing-resistant authentication in Microsoft Entra ID.
- Discover enabling a modern support experience at Microsoft.
- Explore improving security by protecting elevated-privilege accounts at Microsoft.
- Unpack hybrid identity with Microsoft Entra ID.
