Windows Hello for Business
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks.
Overview
Why PIN is better than a password
Manage Windows Hello in your Organization
Prerequisites
Cloud Only Deployment
- Windows 10, version 1511 or later
- Microsoft Azure Account
- Azure Active Directory
- Azure AD Multi-Factor Authentication
- Modern Management (Intune or supported third-party MDM), optional
- Azure AD Premium subscription - optional, needed for automatic MDM enrollment when the device joins Azure Active Directory
Hybrid Deployments
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Key trustGroup Policy managed | Certificate trustMixed managed | Key trustModern managed | Certificate trustModern managed |
|---|---|---|---|
| Windows 10, version 1511 or later | Hybrid Azure AD Joined: Minimum: Windows 10, version 1703 Best experience: Windows 10, version 1709 or later (supports synchronous certificate enrollment).Azure AD Joined: Windows 10, version 1511 or later |
Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| N/A | Windows Server 2016 AD FS with KB4088889 update (hybrid Azure AD joined clients), andWindows Server 2012 or later Network Device Enrollment Service (Azure AD joined) |
N/A | Windows Server 2012 or later Network Device Enrollment Service |
| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter |
| Azure Account | Azure Account | Azure Account | Azure Account |
| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect |
| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
Important
Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. Requirements: Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 Reset above lock screen (I forgot my PIN link) - Windows 10, version 1903
On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. Requirements: Reset from settings - Windows 10, version 1703, Professional Reset above lock screen - Windows 10, version 1709, Professional Reset above lock screen (I forgot my PIN link) - Windows 10, version 1903
On-premises Deployments
The table shows the minimum requirements for each deployment.
| Key trust Group Policy managed | Certificate trust Group Policy managed |
|---|---|
| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| Windows Server 2016 AD FS with KB4088889 update | Windows Server 2016 AD FS with KB4088889 update |
| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
Important
For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the planning guide.