Windows Hello for Business

  • 3 minutes to read

In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.

Windows Hello addresses the following problems with passwords:

  • Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
  • Server breaches can expose symmetric network credentials (passwords).
  • Passwords are subject to replay attacks.
  • Users can inadvertently expose their passwords due to phishing attacks.
Overview Icon
Overview		 Why a PIN is better than a password Icon
Why PIN is better than a password		 Manage Hello Icon
Manage Windows Hello in your Organization

Prerequisites

Cloud Only Deployment

  • Windows 10, version 1511 or later
  • Microsoft Azure Account
  • Azure Active Directory
  • Azure Multi-factor authentication
  • Modern Management (Intune or supported third-party MDM), optional
  • Azure AD Premium subscription - optional, needed for automatic MDM enrollment when the device joins Azure Active Directory

Hybrid Deployments

The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.

Key trust
Group Policy managed		 Certificate trust
Mixed managed		 Key trust
Modern managed		 Certificate trust
Modern managed
Windows 10, version 1511 or later Hybrid Azure AD Joined:
Minimum: Windows 10, version 1703
Best experience: Windows 10, version 1709 or later (supports synchronous certificate enrollment).
Azure AD Joined:
Windows 10, version 1511 or later		 Windows 10, version 1511 or later Windows 10, version 1511 or later
Windows Server 2016 Schema Windows Server 2016 Schema Windows Server 2016 Schema Windows Server 2016 Schema
Windows Server 2008 R2 Domain/Forest functional level Windows Server 2008 R2 Domain/Forest functional level Windows Server 2008 R2 Domain/Forest functional level Windows Server 2008 R2 Domain/Forest functional level
Windows Server 2016 or later Domain Controllers Windows Server 2008 R2 or later Domain Controllers Windows Server 2016 or later Domain Controllers Windows Server 2008 R2 or later Domain Controllers
Windows Server 2012 or later Certificate Authority Windows Server 2012 or later Certificate Authority Windows Server 2012 or later Certificate Authority Windows Server 2012 or later Certificate Authority
N/A Windows Server 2016 AD FS with KB4088889 update (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined)		 N/A Windows Server 2012 or later Network Device Enrollment Service
Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter		 Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter		 Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter		 Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter
Azure Account Azure Account Azure Account Azure Account
Azure Active Directory Azure Active Directory Azure Active Directory Azure Active Directory
Azure AD Connect Azure AD Connect Azure AD Connect Azure AD Connect
Azure AD Premium, optional Azure AD Premium, needed for device write-back Azure AD Premium, optional for automatic MDM enrollment Azure AD Premium, optional for automatic MDM enrollment

On-premises Deployments

The table shows the minimum requirements for each deployment.

Key trust
Group Policy managed		 Certificate trust
Group Policy managed
Windows 10, version 1703 or later Windows 10, version 1703 or later
Windows Server 2016 Schema Windows Server 2016 Schema
Windows Server 2008 R2 Domain/Forest functional level Windows Server 2008 R2 Domain/Forest functional level
Windows Server 2016 or later Domain Controllers Windows Server 2008 R2 or later Domain Controllers
Windows Server 2012 or later Certificate Authority Windows Server 2012 or later Certificate Authority
Windows Server 2016 AD FS with KB4088889 update Windows Server 2016 AD FS with KB4088889 update
AD FS with Azure MFA Server, or
AD FS with 3rd Party MFA Adapter		 AD FS with Azure MFA Server, or
AD FS with 3rd Party MFA Adapter
Azure Account, optional for Azure MFA billing Azure Account, optional for Azure MFA billing

Important

For Windows Hello for Business deployment, if you have several domains, at least one Windows Server Domain Controller 2016 is required for each domain. For more information, see the planning guide.