Mastering Windows Hello for Business: Your Ultimate Deployment Guide

 

In today’s security-conscious environment, passwords are no longer sufficient to protect your organization’s data. With the rise in phishing attacks, password breaches, and the need for a more secure authentication method, Windows Hello for Business (WHfB) offers a strong, multi-factor authentication solution that uses biometrics and PINs. In this guide, I’ll walk you through the process of deploying Windows Hello for Business in your organization.

Overview of Windows Hello and Windows Hello for Business

Windows Hello is a modern authentication technology that enables users to sign in to their Windows devices using biometric data (such as fingerprint or facial recognition) or a PIN instead of a traditional password. This technology offers enhanced security features, including phish-resistant two-factor authentication and built-in brute force protection. Additionally, Windows Hello supports FIDO/WebAuthn, allowing users to sign in to supported websites without needing to remember multiple complex passwords.

Windows Hello for Business builds on Windows Hello by providing enterprise-grade security and management capabilities. It includes advanced features such as device attestation, certificate-based authentication, and conditional access policies. These capabilities ensure that devices remain secure and compliant with organizational policies.

Key Differences Between Windows Hello and Windows Hello for Business

Feature	Windows Hello for Business	Windows Hello
Authentication	Users can authenticate to: - A Microsoft Entra ID account - An Active Directory account - Identity provider (IdP) or relying party (RP) services supporting FIDO v2.0	Users can authenticate to: - A Microsoft account - Identity provider (IdP) or relying party (RP) services supporting FIDO v2.0
Security	Utilizes key-based or certificate-based authentication with no symmetric secret (like a password) that can be stolen or phished. Enhanced security is available on devices with a Trusted Platform Module (TPM).	Allows users to create a PIN or biometric gesture on their personal devices for convenient sign-in. This configuration is unique to the device and can use a password hash depending on the account type, known as Windows Hello convenience PIN, which is not backed by asymmetric or certificate-based authentication.

Windows Hello for Business is specifically designed for organizations that require a higher level of security and control, offering robust authentication options that integrate seamlessly with enterprise identity and access management solutions.

Benefits of Windows Hello for Business

Windows Hello for Business offers a range of significant benefits that enhance security and user experience:

Enhanced Protection Against Credential Theft: By requiring both the physical device and the user's biometric data or PIN, Windows Hello for Business significantly reduces the risk of unauthorized access. This dual requirement makes it much harder for attackers to gain entry without the user's direct involvement.

Phishing and Brute Force Attack Prevention: Since Windows Hello for Business eliminates the use of passwords, it effectively circumvents common phishing and brute force attacks. Additionally, server breaches and replay attacks are mitigated due to the use of asymmetric credentials generated within the secure environment of Trusted Platform Modules (TPMs).

User-Friendly Authentication: Users benefit from a simple and convenient authentication method that is always with them. The use of a PIN, which is securely stored on the device and protected against brute force attacks, ensures that security is maintained without the risk of losing physical authentication tokens.

Flexible Deployment of Biometric Devices: Organizations can easily integrate biometric devices into their security infrastructure, either as part of a comprehensive rollout or targeted to specific users as needed, providing flexibility in enhancing security measures.

Planning and Deploying Windows Hello for Business

There are numerous deployment options available for Windows Hello for Business, allowing it to seamlessly integrate with different organizational infrastructures. Although the deployment process might seem intricate, many organizations will discover that much of the required infrastructure is already in place. It's crucial to understand that Windows Hello for Business operates as a distributed system, necessitating careful planning and coordination across multiple teams within your organization.

Deployment Models

Choosing the right deployment model is crucial for a successful implementation of Windows Hello for Business. Your current infrastructure may influence which model is most suitable.
There are three deployment models to consider:

Cloud-only: Ideal for organizations with cloud-only identities and no need for on-premises resources. Devices are joined to the cloud, using cloud services like SharePoint Online and OneDrive. Since users do not access on-premises resources, certificates for VPNs are unnecessary.

Hybrid: Suited for organizations with identities synchronized between Active Directory and Microsoft Entra ID. This model supports single sign-on (SSO) for both on-premises and cloud-based resources, providing a seamless user experience.

On-premises: Designed for organizations without cloud identities or Microsoft Entra ID applications. It focuses on integrating on-premises applications with Active Directory, offering SSO for accessing these resources.

**In this blog, i will concentrate on the Cloud-Only and Hybrid Deployment Models.

Trust Types

The trust type in a Windows Hello for Business deployment defines how clients authenticate to Active Directory, though it doesn’t affect authentication to Microsoft Entra ID. Because of this, trust types aren’t applicable in a cloud-only deployment model.

Windows Hello for Business uses key-based authentication for Microsoft Entra ID, except in federated environments using smart cards.

When choosing a trust type, consider whether you need to issue authentication certificates to users. While no trust model is inherently more secure than another, certificate-based deployments require more configuration, including a certificate authority. In federated environments, Device Writeback in Microsoft Entra Connect must be activated.

Here are the three trust types:

Cloud Kerberos: Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID via Microsoft Entra Kerberos, with domain controllers handling service tickets and authorization. This trust type uses the same infrastructure as FIDO2 security keys and is suitable for both new and existing deployments.

Key: Users authenticate to on-premises Active Directory with a device-bound key created during provisioning. This requires distributing certificates to domain controllers.

Certificate: Authentication certificates are issued to users, who then authenticate using a certificate tied to a device-bound key. This type requires PKI for domain controller certificates and end-user certificates for on-premises authentication.

Note: Cloud Kerberos Trust offers a simplified deployment without the need for PKI, public key synchronization, or provisioning delays. It supports FIDO2 security keys and is the recommended model over key trust, especially if certificate authentication isn't required.

**In this blog, i will show case Cloud Kerberos Trust with Hybrid Deployment model.

WHfB Deployment Models Supported Options & Requirements

Deployment Model	Trust Type	PKI Required?	Authentication to Microsoft Entra ID	Requirements	Supported Join Type	Device Registration Service Provider	MFA Options	Key Registration Service Provider	Directory Sync Options	Device Configuration Options	Windows Version	Domain Controller OS Version	Cloud Services Licenses (Minimum)
Cloud-only	n/a	No	Cloud authentication	n/a	Microsoft Entra joined, Microsoft Entra registered	Microsoft Entra ID	Microsoft Entra MFA, Non-Microsoft MFA via external method in Microsoft Entra ID or federation	Microsoft Entra ID	n/a	CSP, GPO (local)	All supported versions	All supported versions	Not required
Hybrid	Cloud Kerberos	No	Cloud authentication	Password hash sync (PHS) or Pass-through authentication (PTA)	Microsoft Entra joined, Microsoft Entra hybrid joined, Microsoft Entra registered	Microsoft Entra ID	Microsoft Entra MFA, Non-Microsoft MFA via external method in Microsoft Entra ID or federation	Microsoft Entra ID	Microsoft Entra Connect Sync	CSP, GPO (Active Directory or local)	- Windows 10 21H2, with KB5010415 and later - Windows 11 21H2, with KB5010414 and later	- Windows Server 2016, with KB3534307 and later - Windows Server 2019, with KB4534321 and later - Windows Server 2022	Not required

Note: Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as MDM automatic enrollment and Conditional Access do.

WHfB Cloud Only Deployment

When you Join a Device to Microsoft Entra (Using Windows Autopilot, Windows OOBE, or through Windows Settings) , it automatically attempts to enroll you in Windows Hello for Business. If you plan to use Windows Hello for Business in a cloud-only environment with default settings, no additional configuration is required.

In cloud-only deployments, Microsoft Entra multifactor authentication (MFA) is used during the Windows Hello for Business enrollment process. If you're not already registered for MFA, you'll be guided through the registration during enrollment.

Policy settings can be adjusted to manage Windows Hello for Business behavior through configuration service providers (CSP) or group policies (GPO). In cloud-only deployments, devices are typically configured via an MDM solution like Microsoft Intune.

Note: If the Intune tenant-wide policy disables Windows Hello for Business, or if devices are deployed with Windows Hello disabled, you’ll need to enable it by configuring the policy setting.

I will demonstrate two options for enabling Windows Hello on your cloud-only devices:

• Using Intune
• Using Local GPO

Intune is the preferred and most convenient method, as it allows you to configure settings remotely without needing to visit each machine individually.

Configuring WHfB Policy Using Intune

For Microsoft Entra joined and hybrid joined devices enrolled in Intune, you can manage Windows Hello for Business using Intune policies.

There are several methods to enable and configure Windows Hello for Business through Intune:

You can choose any of the below methods depends on your requirements

Method-1 Tenant-Level Policy

 

  This policy is applied only during the device enrollment process. Any changes made to the configuration afterward do not affect devices already enrolled in Intune.

    Since it applies to all devices upon enrollment, this policy is typically disabled by default. Instead, Windows Hello for Business is usually enabled via a policy targeted at a specific security group.

1. Sign in to the Microsoft Intune admin center
2. Select Devices > Windows > Windows Enrollment
3. Select Windows Hello for Business
4. Verify the status of Configure Windows Hello for Business and update the required settings as required 

Once settings are selected click Save.

To disable Windows Hello for Business at the tenant level, set the corresponding setting to "Disabled." However, you can still enable Windows Hello for Business at the user or device level using other configuration options.

Method-2 Device Configuration Policy:

   This policy is applied after device enrollment, and any changes are pushed to devices during regular policy refresh intervals. You have various policy types to choose from:

     

                    Option-1 Settings catalog

                    To configure Windows Hello using Settings Catalog 

1. Sign in to the Microsoft Intune admin center
2. Select Devices > Windows >Configuration>Create>New Policy 
3. Select the Platform Windows 10 and later
4. Select Profile Type Settings Catalog
5. Select Create

    6.Assign Policy Name and Description and Click Next

    7. On the Configuration Settings page, click Add settings.

    8. On the Settings Picker page, search for Windows Hello.

    9. In the search results, select the appropriate settings based on your policy assignment (User/Device level).

Below are the Mandatory settings for enabling WHfB

• Use Passport For Work: true
• Require Security Device: true

    10.Close the Settings Picker and Enable the Required settings under Window Hello for Business

Policy Settings details ref: PassportForWork CSP | Microsoft Learn

    11.Select Next and keep the Scope Tags as Default

    12.Select Next

    13.Assignments section, Assign the Required User\Device Group. Also you can exclude the specific group. Once Group is selected ,Choose Next

    14. Review the settings and Choose Create

            

            Option-2 Custom policy using the PassportForWork CSP

Follow the instructions below to configure your devices using either Microsoft Intune CSP option.

1. Sign in to the Microsoft Intune admin center
2. Select Devices > Windows >Configuration>Create>New Policy 
3. Select the Platform Windows 10 and later
4. Select Profile Type Templates then Select  Custom Template Name
5. Select Create
   
   
   
6. In the new menu, enter the Name and Description for the policy and click Next
   
   
   
7. On the Configuration Settings page, click the Add button near to OMA-URI.
8. In the next window, fill in the Name, Description, OMA-URI, Data Type, and Value fields according to the details provided below.

**Replace {TenantID} with your Entra Tenant ID

- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork

- Data type: Boolean

- Value: True

- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice

- Data type: Boolean

- Value: True

9.Select Next

10.In the Assignments section, add the necessary User/Device group and click Next.

11.In the Applicability Rules section, leave the settings unchanged and click Next

12.Review the Settings and Choose Create

        

        Option-3Account protection policy

Account protection policy settings are designed to safeguard user credentials. This policy focuses on configuring Windows Hello for Business, encompassing both device-scoped and user-scoped settings, as well as Credential Guard, which is integral to Windows identity and access management.

  To configure Account Protection settings

1. Sign in to the Microsoft Intune admin center
2. Select Endpoint Security then select Account Protection 
3. Select Create Policy from Account Protection Tab
4. Choose Platform as Windows 10 and later
5. Profile Select Account Protection
6. Select Create

7.In the Create Policy menu, enter a Policy Name and Description, then click Next.

8.On the Configuration Settings page, select the User/Device level settings according to the policy assignment target, based on whether it is being assigned to a User Group or a Device Group.

In my case, I am selecting User Level settings, as shown in the screenshot below.

9.Scope Tags we will keep default

10.In the Assignment tab, we will add the necessary User Groups and then select Next

11.Review the Settings and Select Save

These options give you the flexibility to manage Windows Hello for Business in a way that best suits your organization's needs.

Windows Hello for Business Policy Configuration using Local GPO

To configure Windows Hello for Business with group policy, use the Local Group Policy Editor.

Sign-in with your Local Admin on Windows 10/11 PC

Open Run>Type Gpedit.msc to open Local Group Policy Editor

then Go to

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business

Update the state of the following two policies to the specified values as outlined below.

Use Windows Hello for Business: Enabled
Use a hardware security device: Enabled

or

User Configuration\Administrative Templates\Windows Components\Windows Hello for Business

WHfB Cloud Only Deployment End User Experience

The Windows Hello for Business provisioning process begins immediately after a user signs in, as long as certain prerequisite checks are met. For an existing user(User Already using that Windows device), once the Intune policy is applied, Windows Hello for Business will be initiated at the next sign-in.

1. If the device supports biometric authentication, the user is prompted to set up a biometric gesture, which can be used to unlock the device and authenticate to resources requiring Windows Hello for Business. The user can skip this step if they choose not to set up a biometric gesture.
   
   In my LAB VM i don't have Biometric device so i will moved to next step
2. Next, the user is prompted to use Windows Hello with their organization account and clicks OK.
   
   Since my user doesn't have MFA configured, I will be prompted to set up MFA using the Authenticator application.
   
   
   
   
   
   
3. The provisioning process then moves to the multi-factor authentication (MFA) stage. The system attempts to contact the user through their configured MFA method. The process will not proceed until authentication is either successful, fails, or times out. If MFA fails or times out, an error is displayed, and the user is asked to retry.
   
   
4. Upon successful MFA, the user is prompted to create and validate a PIN, adhering to any PIN complexity policies configured on the device.
   

Once enrolled in Windows Hello, users should use their gesture (such as a PIN or fingerprint) to access their devices and corporate resources. This unlock gesture is valid only on the enrolled device.

Note: If the organization may require users to change their Active Directory or Microsoft Entra account passwords regularly, these password changes do not impact Windows Hello.

WHfB Hybrid, Cloud Kerberos Trust Deployment

Make sure your devices are Hybrid Entra ID joined to enable Windows Hello for Business (WHfB) Kerberos Trust. Additionally, review the WHfB Deployment Models Supported Options & Requirements table provided above for Hybrid deployment.

1. Deploy Kerberos Server Object

Microsoft Entra ID can issue Kerberos ticket-granting tickets (TGTs) for one or more of your Active Directory domains. This allows users to sign in to Windows using modern credentials, such as Windows Hello for Business(with Cloud Kerberos Trust), FIDO2 security keys, and access traditional Active Directory-based resources. The Kerberos Service Tickets and authorization are still managed by your on-premises Active Directory domain controllers (DCs).

A Microsoft Entra Kerberos server object is created within your on-premises Active Directory instance and securely published to Microsoft Entra ID. This object isn't tied to any physical servers but serves as a resource that Microsoft Entra ID can use to generate Kerberos TGTs for your Active Directory domain.

Note: When implementing the cloud Kerberos trust deployment model, it's essential to ensure that each Active Directory site where users will be authenticating with Windows Hello for Business has a sufficient number of read-write domain controllers.

To install the Kerberos Server Object, you need to install the AzureADHybridAuthenticationManagement module.

Follow these steps from a Domain Member Server:

1. Open a PowerShell prompt with the "Run as administrator" option.

   

2. Install the AzureADHybridAuthenticationManagement module by executing the following commands:

[Net.ServicePointManager]::SecurityProtocol =[Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber

**These commands will ensure that TLS 1.2 is used for accessing the PowerShell gallery and then install the necessary module for managing hybrid authentication.

3.Run the Below Commands to Create the Entra ID(Azure AD) Kerberos Server Object

$domain = $env:USERDNSDOMAIN

Enter a UPN of a Global Administrator by replacing the admin@contoso.onmicrosoft.com

$userPrincipalName = "admin@contoso.onmicrosoft.com"

Enter a Domain Administrator username and password.

$domainCred = Get-Credential

**To Create the new Entra ID(Azure AD) Kerberos Server object in Active Directory and then publish it to Entra ID (Azure AD) execute the below command.

Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred

**While executing the above command ,it will Open an interactive sign-in prompt with given username to access the Entra ID (Azure AD).

4. We have successfully created the Kerberos Server Object. You can view and verify the newly created Microsoft Entra Kerberos server by using the following command:

Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential (get-credential)

Note: 1. The Microsoft Entra Kerberos server encryption krbtgt keys should be rotated on a regular basis you can use the below command to do the activity.

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey

2. To remove Entra Kerberos server object you can use the below command.

Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

2.Configure WHfB Policy for Cloud Kerberos Trust

After setting up the Microsoft Entra Kerberos object, we need to enable and configure Windows Hello for Business to use cloud Kerberos trust. Below key policy settings are required for this configuration:

1. Use Windows Hello for Business 

2. Use cloud trust for on-premises authentication 

3.Use Security device

These policy settings can be configured using either Intune policies or Local/Domain Group Policy (GPO).

Method-1 Intune WHfB Policy Configuration(Using Settings Catalog)

1. Sign in to the Microsoft Intune admin center
2. Select Devices > Windows >Configuration>Create>New Policy 
3. Select the Platform Windows 10 and later
4. Select Profile Type Settings Catalog
5. Select Create

    6.Enter a Profile Name and Description, then click Next.

7.Select Add Settings and Add the Below required settings for Windows Hello for Business, once Added select Next to continue 

• Use Passport For Work
• Use Cloud Trust For On Prem Auth
• Require Security Device

8.Keep the Scope Tags Default and Select Next and Assign the Policy to User\Device Group as Required.

9.Click Next to Review the Settings and Select Create

Method-2 Intune WHfB Policy Configuration(Using Custom Template)

1. Sign in to the Microsoft Intune admin center
2. Select Devices > Windows >Configuration>Create>New Policy 
3. Select the Platform Windows 10 and later
4. Select Profile Type Templates then Choose Custom Template Name
5. Select Create

    6.In the Policy creation window, assign a Profile Name and Description, then click Next.

    7.On the Configuration Settings page, next to the OMA-URI Settings, click Add and then input the settings provided below.

**Replace {TenantID} with your Entra Tenant ID

     Name: Use Passport For Work

     OMA-URI:     ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork

     Data type: Boolean

     Value: True

    Name: Use Cloud Trust For On Prem Auth

    OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth

    Data type: Boolean

    Value: True

    Name: Require Security Device

    OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice

    Data type: Boolean

    Value: True

8.After adding all the settings, click Next and assign the policy to the appropriate User/Device group.

9.Leave the Applicability Rules unchanged in the next menu, then review the policy and click Create.

Method-2 WHfB Policy Configuration Using Domain GPO

We can configure the Use Windows Hello for Business policy setting in either the computer or user node of a GPO:

• If you deploy the policy setting under the computer node, all users who sign in to the targeted devices will attempt Windows Hello for Business enrollment.
• If you deploy the policy setting under the user node, only the targeted users will attempt Windows Hello for Business enrollment.
• If both user and computer policy settings are deployed, the user policy setting takes precedence.

Note: To enable Cloud Kerberos trust, you must configure a dedicated policy available only as a computer configuration.

You may need to update your Group Policy definitions to configure this policy. Copy the Passport.admx and Passport.adml files from a Windows client that supports Cloud Kerberos trust to the corresponding language folder on your Group Policy management server.

To configure Domain GPO for Windows Hello for Business, log in to the Primary Domain Controller (DC). 

1.Open the Run dialog, type GPMC.msc, and press Enter. The Group Policy Management Console will open.

2. Select the desired Organizational Unit (OU) where you plan to apply the Windows Hello for Business policy. In my case, I will choose one of my computers OUs.

3.Right on the OU and select Create a GPO in this Domain and, Link it here

4.In the New GPO window that opens, assign a Name to the GPO and click OK.

5.The new GPO will be created and linked to the selected OU. Right-click on the new GPO object and select Edit.

6.After selecting Edit on the GPO, the Group Policy Management Editor window will open. Navigate to the following Group Policy path and settings, then modify the values as needed.

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business

or

User Configuration\Administrative Templates\Windows Components\Windows Hello for Business

                         Setting: Use Windows Hello for Business

                         Value:    Enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business

                        Setting: Use cloud Kerberos trust for on-premises authentication

                        Value:    Enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business

                        Setting: Use a hardware security device

                        Value:    Enabled

7.After completing the policy configuration, close the Group Policy Management Editor and the Group Policy Management Console.

8. Update the GPO on the client PC and reboot the system.

9. Sign in with a user account that is synced with the Entra ID tenant to Check the Windows Hello for Business Provisioning.

WHfB Hybrid Kerberos Trust Deployment End User Experience

The Windows Hello for Business provisioning process begins immediately after a user signs in, provided the prerequisite checks pass. When cloud Kerberos trust is enabled for Microsoft Entra hybrid joined devices, an additional check verifies if the user has a partial TGT to ensure Microsoft Entra Kerberos is set up for their domain and tenant. This check can return three states: Yes, No, or Not Tested. The "Not Tested" state occurs if cloud Kerberos trust isn't enforced by policy or if the device is Microsoft Entra joined.

Note: Microsoft Entra joined devices do not perform the cloud Kerberos trust check. If Microsoft Entra Kerberos isn't set up, users can still sign in but won't have SSO to on-premises resources secured by Active Directory.

Now Lets Login with the User Account  & see the Experience

After a successful sign-in, the user will be prompted to set up Windows Hello for Business.

In my lab VM, since I don't have a biometric device, I'll proceed to the next step.

Since the user is signing in for the first time, they will need to complete the MFA setup.

Choose Next to Proceed

Select Next

Scan the QR code using Microsoft Authenticator Application & Approve the Notification using Number Matching and Select Next

Completed the MFA Setup, Choose Next to Confirm.

Choose Done Button to proceed with Next Window

The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry

Once MFA is configured\MFA Verified, you will be prompted to set up your Windows Hello for Business PIN.

This PIN must observe any PIN complexity policies configured on the device

Once PIN Configuration is completed ,You will see the below Page. Press OK to proceed

Note: The provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with the IdP to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop

The next time you sign in, you will be prompted to choose either Biometric or PIN authentication, based on your previous selection and configuration.

Note: 1. On a Microsoft Entra hybrid joined device, the first use of the PIN requires connectivity to a domain controller (DC). Once the user signs in or unlocks with the DC, subsequent unlocks can be performed using cached sign-in, even without line of sight or network connectivity.

         2. After enrollment, Microsoft Entra Connect syncs the user's key from Microsoft Entra ID to Active Directory.

The image below illustrates an end user logging in with Windows Hello for Business, along with their access to a shared folder and the status of their Kerberos TGT.

Things to Note:

1. Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key
2. When users are required to change their password (e.g., due to expiration policies), they won't be notified when signing in with Windows Hello, which could lead to authentication failures for Active Directory-protected resources. To address this issue, consider the following options:

            - Disable password expiration for user accounts.

            - Use PIN expiration policies instead of password expiration.

            - If password expiration is necessary, instruct users to change their passwords regularly or when they encounter authentication failures. Users can reset their password by:

            - Pressing Ctrl + Alt + Del > Change a password.

            - Signing in with their password. If a change is needed, Windows will prompt them to update it.

         

        3.Windows Hello for Business should be configured using either GPO or CSP, but not both, to avoid conflicts. Mixing GPO and CSP settings can cause issues, as CSP settings won't apply until GPO settings are cleared. The MDMWinsOverGP policy does not affect Windows Hello for Business, as it only applies to policies in the Policy CSP, not the PassportForWork CSP where Windows Hello for Business settings reside.

To change a user's password, the device must have connectivity to a domain controller.

Windows Hello for Business cloud Kerberos trust does not support the following scenarios:

1. RDP/VDI with supplied credentials (use Remote Credential Guard or a certificate in the Windows Hello for Business container instead)
2. Using cloud Kerberos trust for "Run as"
3. Signing in on a Microsoft Entra hybrid joined device without prior DC connectivity

Windows Hello for Business PIN Reset

Windows Hello for Business offers a way for users to reset a forgotten PIN through the Microsoft PIN reset service. This can be done in two ways:

Destructive PIN Reset: This default method deletes the user's existing PIN and credentials, including any keys or certificates in their Windows Hello container. A new sign-in key and PIN are then provisioned. No configuration is needed for this option.

Non-Destructive PIN Reset: This option preserves the user's Windows Hello for Business container and keys, only changing the PIN used to authorize key usage. To use this method, you must deploy the Microsoft PIN reset service and configure the client policy to enable PIN recovery.

Comparison

Category	Destructive PIN Reset	Non-Destructive PIN Reset
Functionality	The user's existing PIN and underlying credentials, including any keys or certificates in their Windows Hello container, are deleted. A new sign-in key and PIN are provisioned.	The user's Windows Hello for Business container and keys are preserved. The user's PIN, used to authorize key usage, is changed. Requires deployment of the Microsoft PIN reset service and client policy to enable the PIN recovery feature.
Microsoft Entra Joined	Supported for Cert Trust, Key Trust, and Cloud Kerberos Trust.	Supported for Cert Trust, Key Trust, and Cloud Kerberos Trust.
Microsoft Entra Hybrid Joined	Supported for Cert Trust and Cloud Kerberos Trust from both settings and above the lock screen. Key Trust is supported only from the settings page, with corporate network connectivity to the DC.	Supported for Cert Trust, Key Trust, and Cloud Kerberos Trust from both settings and above the lock screen. No network connection required for the DC.
On-Premises	If AD FS is used, users must have corporate network connectivity to federation services.	Not available; the PIN reset service relies on Microsoft Entra identities.
Additional Configuration Required	Supported by default; no additional configuration required.	Requires deployment of the Microsoft PIN reset service and client policy.
MSA/Enterprise	Supported for both MSA and Enterprise accounts.	Supported for Enterprise accounts only.

Source : Microsoft Learn

How Non-Destructive PIN Reset Works

Requirements:

•   Applicable for hybrid or cloud-only Windows Hello for Business deployments.
•   Available on Windows Enterprise, Education, and Pro editions (no additional licensing required).

When non-destructive PIN reset is enabled, a 256-bit AES key is generated and added to the user's Windows Hello for Business container. This key, known as the PIN reset protector, is encrypted with a public key from the Microsoft PIN reset service and stored on the client.

When a user initiates a PIN reset, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The client uses it to change the PIN, which is then securely updated.

We can configure this feature using Group Policy, Microsoft Intune allowing users to reset their forgotten PIN without needing to re-enroll their devices.

Setting up Non-Destructive PIN Reset

Before we can use the nondestructive PIN reset feature, we need to register two applications in your Microsoft Entra tenant:

1. Microsoft PIN Reset Service Production
2. Microsoft PIN Reset Client Production

To register these applications, follow the below:

Step-1 Visit the Microsoft PIN Reset Service Production website and sign in with at least Application Administrator privileges. Review the permissions requested by the Microsoft PIN Reset Service Production application, and click  Accept to grant the application access to your organization.

You will get the below Page and this can be safely ignored

Step 2: Go to the Microsoft PIN Reset Client Production website and sign in with at least Application Administrator privileges. Review the permissions requested by the Microsoft PIN Reset Client Production application, and click Next.

After acceptance, the redirect page will show a blank page. This is a known behavior.

Step 3: Log in to the Entra Admin portal at [https://entra.microsoft.com] and navigate to Applications > Enterprise Applications. There, you will find the Microsoft PIN Reset Service Production and Microsoft PIN Reset Client Production applications.

Step 4: To enable PIN recovery on the clients, you can use either Intune or GPO. The following steps outline the configuration process. We'll use the previously created Windows Hello for Business policy, configured through the Intune Settings Catalog/Template. Alternatively, GPO can also be used for this configuration.

           Option-1 Intune Settings Catalog

Log in to the Intune Admin Center and navigate to Devices > Windows > Configuration> Select the Windows Hello policy that we created earlier. Then, go to Configuration settings and click Edit.

Click on Add Settings and search for Windows Hello for Business. Then, select Enable PIN Recovery and set the value to True. After making this change, review the policy and Save it.

Option-2 Intune Custom Template (OMA-URI)

Log in to the Intune Admin Center and navigate to Devices > Windows > Configuration> Select the Windows Hello policy that we created earlier. Then, go to Configuration settings and click Edit. Then Add the Below Settings. Then Review and Save the Policy

Name: Enable Pin Recovery

OMA-URI:

 ./Vendor/MSFT/Policy/PassportForWork/TenantId/Policies/EnablePinRecovery

Data type : Boolean

Value: True

Option-3 Domain\Local GPO

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a Group policy object (GPO) and use the following settings:

AD Joined PC's

1. Open the Group Policy Management Console (GPMC) by opening Run type  gpmc.msc.

   Select the desired GPO.

   Edit the GPO.

   Navigate to Computer Configuration > Policies > Administrative Templates> Windows Components > Windows Hello for Business.

Change Group policy setting: Use PIN Recovery.

Value : Enabled

2. For Local Group Policy:

   Open the Local Group Policy Editor by running gpedit.msc.

   Navigate to Computer Configuration> Administrative Templates > Windows Components> Windows Hello for Business.

Group policy setting: Use PIN Recovery.

Value :Enabled

Windows Hello for Business Destructive PIN Reset Validation

After user Sign-in,You can check this status by running dsregcmd /status from the command line. In the output, look under the user state section for the CanReset line. If CanReset shows DestructiveOnly , then only destructive PIN reset is enabled(Default). If it shows DestructiveAndNonDestructive then nondestructive PIN reset is enabled.

Here is a sample user state output for Destructive PIN Reset:

Here is a sample user state output for DestructiveAndNonDestructive PIN Reset:

Windows Hello PIN Reset User Experience 

Destructive and nondestructive PIN resets follow the same steps. If users forget their PIN but have an alternate sign-in method, they can go to Sign-in options in Settings and reset their PIN from the PIN options. If there's no alternate sign-in available, users can initiate a PIN reset from the Windows lock screen using the PIN credential provider. They will need to authenticate and complete multifactor authentication to reset the PIN. After resetting, users can sign in with their new PIN.

Note: For Microsoft Entra hybrid joined devices, users must have corporate network connectivity to domain controllers to complete a destructive PIN reset. 

PIN Reset Experience from Login Screen

Expand Sign-in options and select the PIN pad icon.

Click I forgot my PIN.

Enter your Password and press Enter.

Note: For the same step, For Entra Joined Devices Select an authentication option from the list of presented options. This list is based on the different authentication methods enabled in your tenant (like Password, PIN, Security key)

Follow the on-screen instructions ,Select Reset PIN

Choose the Account

Approve the MFA Prompt

Choose the New PIN

Windows Hello for Business PIN Reset Final Confirmation

Reset PIN from Settings

1. Sign-in to Windows 10\11 using an alternate credential, In our case we will login with Password, to Reset the PIN
   
   
   
2. Open Settings > Accounts > Sign-in options
   
   
   
3. Select PIN (Windows Hello) > I forgot my PIN and follow the User Selection and MFA Prompt ,Once MFA Verification is completed You will be Prompted to Setup your New PIN.

Select the User Account

Approve the MFA Prompt

 Setup New PIN

After a successful PIN reset, you can log in using your new Windows Hello for Business PIN.

Conclusion

Windows Hello for Business offers a robust, secure, and user-friendly authentication method that significantly enhances the security posture of any organization. By replacing traditional passwords with PINs and biometrics, it reduces the risk of credential theft and simplifies the sign-in process for users. Whether deploying in a cloud-only or hybrid environment, configuring and managing Windows Hello for Business is straightforward with tools like Intune and Group Policy. With features like non-destructive PIN reset, organizations can ensure that users maintain access to their devices and resources, even if they forget their PINs. By following the steps outlined in this guide, you can effectively deploy and manage Windows Hello for Business, providing a seamless and secure authentication experience for your users.