Windows Hello for Business

Windows Hello for Business is an extension of Windows Hello, providing management capabilities via Active Directory’s group policy or Intune’s configuration server provider. Windows Hello allows a user to sign in and unlock their device using, in our configuration, facial recognition or fingerprint and a PIN.

Hardware requirements

  • TPM 2.0
  • IR camera and/or fingerprint reader

PIN complexity

When a user enrolls in Windows Hello for Business, they will be required to set a PIN. The PIN can be 6 – 127 characters and use upper and lowercase letters, numbers, and special characters. Using one of each is not required. A user could set the PIN to all special characters if they want.

Multi-factor Unlock

To implement a more secure Windows Hello for Business we do require multi-factor unlock by default. With mult-factor unlock, the user has to use two factors of authentication to unlock the computer. The first factor can be facial recognition or fingerprint scanning, the choice of which can be selected by the user. The second factor is the PIN that was set when enrolling.

If your department has users that need to use a single-factor unlock for compliance reasons, please fill out an EPS exception. Once approved, the computer(s) will be added to a group with policy assigned that has single-factor unlock configured.

Enrolling

Windows Hello for Business is an opt-in configuration where computers need to be added to a group in our domain in order to be in scope for the policy. Which computers receive the policy is up to departmental IT. Each department has a special configuration opt-in group in their OU. Add computers to the group that you would like to have Windows Hello for Business configured. Computers added to the group have to be restarted before they will receive the policy. Once restarted, the user signs in, launches the Settings app, and goes to Accounts > Sign-in options. Under the Ways to sign in section is where the user will set their PIN and configure facial and fingerprint recognition.

Once enrolled, the user can select which method they want to use to unlock their computer from the lock screen. It should always be the case that the user can select to use a password if the biometric choices are not working.

Limitations

The maximum number of enrollments supported on a single device is 10. Using Windows Hello for Business in most multi-user situations (student labs, teaching labs, public labs, etc) is not recommended.