Windows Hello for Business for the IT administrator

Last updated: November 16, 2023
Audience: IT Staff / Technical

Windows Hello for Business (WHfB) provides passwordless two-factor authentication for interactive sign in to a Windows device. At the UW, this generally requires the Windows device to either be joined to the NETID domain or the UW Entra ID.

If you have Windows devices in the NETID domain today and haven’t configured Windows Hello for Business, those users may have enabled it themselves and they may be using options that aren’t appropriate. For this reason, all OU admins should consider configuring Windows Hello for Business.

WHfB topics

Windows Hello for Business is a complex technology. IT administrators supporting Windows devices are encouraged to educate themselves about how it works. The following documents are a good starting place:

As implied by the links above, the UW is primarily using a hybrid Entra ID device join with Entra ID Kerberos as the integration method. You generally don’t need to know that info, but if you are trying to read all of the Microsoft documentation that may be useful.

When you change your UW NetID password, devices with Windows Hello for Business setup for that UW NetID will be impacted. Review Windows Hello and password changes.

There are several scenarios where a user’s device must have connectivity to the NETID domain:

  1. when a user forgets their PIN and needs to reset that PIN
  2. first sign in or device unlock after provisioning Windows Hello for Business
  3. attempting to access an on-premises resource secured by NETID Active Directory

Strong authentication at device sign in raises the security bar significantly. This is especially true for the Microsoft ecosystem, where malicious lateral movement is a known vulnerability–i.e. if a bad guy can get signed in access to one Windows device they can use the cached credentials to get signed into another Windows device, and eventually use this lateral movement to find a device with highly privileged credentials. Requiring strong authentication for all your devices makes it much less likely that the malicious actor can start that cycle.

There are also a variety of scenarios which require strong authentication. For example, if you operate systems with financial data you likely are subject to the Graham Leach Bliley Act (GLBA) which requires that all systems with access to that data have strong authentication. This includes workstations which might be connected to servers with the data. So you may have a regulatory requirement for strong authentication.

Finally, depending on the authentication factors enabled, your users may find it easier to sign in–it may improve the user experience.

Again, the intended audience for this topic is an IT administrator, so there’s nothing here about the actual end user experience of provisioning Windows Hello for Business on a device–this is all about what happens before that happens. If you are an end user, see our documentation intended for you.

If your devices are not in a NETID delegated OU, you may need to first request a delegated OU and migrate your devices to it.

Generally speaking, there are three possible outcomes you might be seeking:

  1. Disable it. You don’t want any users using Windows Hello for Business from your devices.
  2. Remove undesirable options. You don’t want users to enable Windows Hello for Business with specific settings, but are otherwise fine if users choose to use it.
  3. Require it. You want all users of your devices to use Windows Hello for Business.

We’ll cover these possible outcomes primarily in the ‘Plan your implementation’ section below.

End user expectations

You’ll want to let your users know what to expect so they aren’t caught off guard. You might point them at our end user documentation. A key thing to make sure you communicate is the difference between their UW NetID password and a PIN. To be clear, in this context a PIN is a secret string associated with their user account specific to a specific device. They should not re-use their UW NetID password as their PIN. If they use multiple devices, their user account on each device can have a different PIN.

Plan your implementation

Start by reviewing the possible configuration settings for Windows Hello for Business. Picking the right settings may require knowledge of the deployed device hardware (TPM and biometric capabilities).

Do not choose:

  • ‘Use certificate for on-premises authentication’ setting; we don’t have ADFS deployed any longer
  • ‘Use PIN recovery’ setting; we don’t have the Azure PIN recovery service deployed

You should carefully consider the PIN length and complexity. Your choice should align with UW guidance regarding adequate password use.

If you want to disable WHfB, then all you need to do is add:

Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > Use Windows Hello for Business=Disabled.

If you only want to remove undesirable options, then configure the settings you want, but do not configure:

Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > Use Windows Hello for Business

If you want to require WHfB, then in addition to any other settings, make sure:

Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > Use Windows Hello for Business=Enabled.

Configure the settings

Create a group policy object with your desired settings and assign that group policy object to the relevant Windows devices.