Configure Windows Hello for Business using Intune

by | Intune, Cloud

In this post I will show you how to configure Windows Hello for Business using Intune. By creating a policy for WHFB, users can easily utilise the features such as Biometric & PIN to login to their devices without providing the password credentials.

What is Windows Hello for Business

To be precise, Windows Hello for Business replaces the passwords (which we used to login to the devices using user credentials) with biometric or PIN. This require two-factor authentication to the setup once the policy is targeted.

The enrollment method to Windows Hello could either be biometric or PIN.

Following Biometric sign-in options are available:

  • Facial Recognition
  • Fingerprint Recognition
  • Iris Recognition

If none is available, then you can use PIN as well to configure the Windows Hello.

Why to use Windows Hello for Business

One of the biggest benefit of using WHFB, or we can say using biometric or PIN to login to the device is to eliminate the usage of password which can unintentionally be shared or can be captured over the network if we are not careful. Biometric or PIN information is saved locally on the device. When provisioning Windows Hello, it creates cryptographic key which is saved to Trusted Platform Module (TPM) which is inbuilt to a device.

Two-step verification (MFA – Multi factor authentication) is required for enrolling the Windows Hello. Which creates private key and uses the trusted relationship between the identity provider and the user with public/private key.

Windows Hello also protects user identities and user credentials as you are not entering password, hence mitigating the phishing and brute force attacks.

How to deploy Windows Hello for Business

There are multiple ways to deploy Windows Hello for Business policies. It can be deployed via:

  • Intune – Within Intune itself we have multiple options such as “Settings catalog” and “Templates”. We are going to use the Templates as it is much more straight forward setting.
  • Group Policy – This is the easiest way to configure the Windows Hello for Business policies when devices are joined to Domain and have Active Directory and Group Policy Management editors.

Windows Hello comes with different Deployment Models such as Cloud only, Hybrid and on-premises. This also relies on various Trust types such as:

  • Key trust
  • Certificate trust
  • Cloud Kerberos trust

Key trust does not require certificates for end users, hence very easy to configure as it doesn’t come with any overhead. For Cloud only / Hybrid approach – your device needs to be registered in Azure AD which is called Azure AD Join (cloud only approach) and Hybrid Azure AD join (for Hybrid approach)

Windows Hello for Business Identity Provider
Windows Hello for Business Identity Provider

Deploy Windows Hello for Business using Intune

Configuring the Windows Hello for Business policy can be done at Tenant level also, which will apply the policy to all users. For this login to MEM admin center and navigate to Devices > Enroll Devices > Windows Enrollment and click on Windows Hello for Business.

Windows Hello for Business Enrollment
Windows Hello for Business Enrollment

 Once you enable “Configure Windows Hello for Business”. You can see the settings to specify.

Configure Windows Hello for Business

Note: I will not prefer this way because you are deploying the Windows Hello to all users. You are not having enough control of doing piloting and having multiple configurations based upon different users / regions / countries.

Login to Microsoft Endpoint Manager admin center and navigate to Devices > Windows > Configuration profiles.

Click on Create profile, specify:

  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template name: Identity protection

And click Create.

Windows Hello for Business Identity Protection

Under Identity Protection Basics setting, provide name as “WHFB Policy”, click Next.

WHFB Policy Name

Under Configuration settings, specify:

  • Configure Windows Hello for Business: Enabled
  • Minimum PIN length: 4
  • Maximum PIN length: 8
  • Lowercase letters in PIN: Not configured
  • Uppercase letters in PIN: Not configured
  • Special characters in PIN: Not configured
  • PIN expiration (days): Not configured (Can configure from 1 to 730)
  • Remember PIN history: (can configure from 1 to 50)
  • Enable PIN recovery: (can save PIN recovery secret on the device itself)
  • Use a Trusted Platform Module (TPM): Enabled (this is a preferred setting for better security)
  • Allow biometric authentication: Enable (Gestures, face and fingerprints can be used)
  • Use enhanced anti-spoofing, when available: Enable ( to provide additional security)
  • Certificate for on-premise resources: Not configured
  • Use security keys for sign-in: Not configured
WHFB Policy settings

Click Next.

Click next under Scope tags, under Assignments, target to specific group and click Next.

WHFB 07

Click Next under Applicability Rules and Review+Create to create the policy and close the wizard.

Test windows Hello for Business policy

I have a Windows 10 device which is enrolled to Intune (Hybrid azure AD join). TPM is already enabled on the device and make sure “Enhanced session” is disabled on Hyper-V device.

Hyper-V Enable Secure Boot

Provide the credentials to login to the device.

WHFB 09

You will be prompted with configuring the Windows Hello, as it is a Virtual Machine, I have to configure PIN. Click on OK.

WHFB enabled

Windows Hello for Business require MFA, hence approve the request through Microsoft Authenticator app or other app you have configured.

WHFB 11

Set up the PIN using the condition we have specified (remember min. 4 PIN length).

WHFB 12

You are All set with PIN configured and ready to be used during next login.

WHFB 13
WHFB 14

You might see error such as “That option is temporarily unavailable. For now, please use a different method to sign in”

WHFB 15

You just need to wait for some more time to start utilising PIN, you can still use Password to login. You are getting this error as this kind of deployment is based upon Key Trust which requires to be synched with cloud. To expedite this, you need to configure Certificate Trust which requires additional configuration to be done.

After waiting for a while, I was able to login to the Windows.

You can check for any error or registration status through Event Viewer.

Launch Event Viewer (eventvwr.msc) and navigate to Applications and Services Logs > Microsoft > Windows > User Device Registration > Admin

It showed me following info:

Windows Hello for Business provisioning will be launched.

WHFB 16
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Error
User certificate for on premise auth policy is enabled: No
Machine is governed by none policy.
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

This clearly showed me that WHFB will be launched as all prerequisites were met including hardware requirements.

With few more updates, I can se the Microsoft Passport key information was saved which was related to PIN info saved.

WHFB 17

Conclusion

Windows Hello for Business can be used to for better security as you are using Biometric such as gestures, Facial recognition, fingerprint, PIN which saves the information locally on the device based upon TPM chipset, hence mitigating the risk of exposing your passwords.

Important links

Windows Hello for Business Overview (Windows) | Microsoft Learn

Configure a tenant-wide Windows Hello for Business policy with Microsoft Intune – Microsoft Intune | Microsoft Learn

Planning a Windows Hello for Business Deployment | Microsoft Learn

Windows Hello for Business hybrid key trust deployment | Microsoft Learn

Leave a Reply