Windows Hello for Business
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks.
Prerequisites
Cloud Only Deployment
- Windows 10, version 1511 or later
- Microsoft Azure Account
- Azure Active Directory
- Azure Multi-factor authentication
- Modern Management (Intune or supported third-party MDM), optional
- Azure AD Premium subscription - optional, needed for automatic MDM enrollment when the device joins Azure Active Directory
Hybrid Deployments
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Key trust Group Policy managed |
Certificate trust Mixed managed |
Key trust Modern managed |
Certificate trust Modern managed |
|---|---|---|---|
| Windows 10, version 1511 or later | Hybrid Azure AD Joined: Minimum: Windows 10, version 1703 Best experience: Windows 10, version 1709 or later (supports synchronous certificate enrollment).Azure AD Joined: Windows 10, version 1511 or later |
Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| N/A | Windows Server 2016 AD FS with KB4088889 update (hybrid Azure AD joined clients), andWindows Server 2012 or later Network Device Enrollment Service (Azure AD joined) |
N/A | Windows Server 2012 or later Network Device Enrollment Service |
| Azure MFA tenant, or AD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
| Azure Account | Azure Account | Azure Account | Azure Account |
| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect |
| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
On-premises Deployments
The table shows the minimum requirements for each deployment.
| Key trust Group Policy managed |
Certificate trust Group Policy managed |
|---|---|
| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| Windows Server 2016 AD FS with KB4088889 update | Windows Server 2016 AD FS with KB4088889 update |
| AD FS with Azure MFA Server, or AD FS with 3rd Party MFA Adapter |
AD FS with Azure MFA Server, or AD FS with 3rd Party MFA Adapter |
| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
Feedback
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.
Loading feedback...