Windows Hello for Business

05/05/2018
3 minutes to read
Contributors

In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.

Windows Hello addresses the following problems with passwords:

Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
Server breaches can expose symmetric network credentials (passwords).
Passwords are subject to replay attacks.
Users can inadvertently expose their passwords due to phishing attacks.


Overview	Why PIN is better than a password	Manage Windows Hello in your Organization

Prerequisites

Cloud Only Deployment

Windows 10, version 1511 or later
Microsoft Azure Account
Azure Active Directory
Azure Multi-factor authentication
Modern Management (Intune or supported third-party MDM), optional
Azure AD Premium subscription - optional, needed for automatic MDM enrollment when the device joins Azure Active Directory

Hybrid Deployments

The table shows the minimum requirements for each deployment.

Key trust Group Policy managed	Certificate trust Mixed managed	Key trust Modern managed	Certificate trust Modern managed
Windows 10, version 1511 or later	Hybrid Azure AD Joined: Minimum: Windows 10, version 1703 Best experience: Windows 10, version 1709 or later (supports synchronous certificate enrollment). Azure AD Joined: Windows 10, version 1511 or later	Windows 10, version 1511 or later	Windows 10, version 1511 or later
Windows Server 2016 Schema	Windows Server 2016 Schema	Windows Server 2016 Schema	Windows Server 2016 Schema
Windows Server 2008 R2 Domain/Forest functional level	Windows Server 2008 R2 Domain/Forest functional level	Windows Server 2008 R2 Domain/Forest functional level	Windows Server 2008 R2 Domain/Forest functional level
Windows Server 2016 Domain Controllers	Windows Server 2008 R2 or later Domain Controllers	Windows Server 2016 Domain Controllers	Windows Server 2008 R2 or later Domain Controllers
Windows Server 2012 or later Certificate Authority	Windows Server 2012 or later Certificate Authority	Windows Server 2012 or later Certificate Authority	Windows Server 2012 or later Certificate Authority
N/A	Windows Server 2016 AD FS with KB4088889 update (hybrid Azure AD joined clients), and Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined)	N/A	Windows Server 2012 or later Network Device Enrollment Service
Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter	Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter	Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter	Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter
Azure Account	Azure Account	Azure Account	Azure Account
Azure Active Directory	Azure Active Directory	Azure Active Directory	Azure Active Directory
Azure AD Connect	Azure AD Connect	Azure AD Connect	Azure AD Connect
Azure AD Premium, optional	Azure AD Premium, needed for device write-back	Azure AD Premium, optional for automatic MDM enrollment	Azure AD Premium, optional for automatic MDM enrollment

On-premises Deployments