Employees forget passwords all the time. It’s part of daily life for busy professionals.
What happens when they can’t log in?
They reset their password, either by calling IT (and costing the company up to $70) or by handling it on their device. Most of the time, they pick something easier to remember, hoping to avoid the hassle of changing passwords again.
Then they get back to work, oblivious to the risk they are putting their organization at with their easy-to-crack password.
It’s no surprise that 81% of company data breaches are caused by poor passwords.
So what can you do to protect your company and thwart password-related security nightmares, aside from educating your workforce?
You can turn to Windows Hello for Business and replace passwords with robust two-factor authentication on Windows 10 and 11 devices.
But first, let’s find out what is Windows Hello for Business.
What is Windows Hello for Business?
Windows Hello for Business replaces passwords with strong authentication for domain-joined physical Windows desktops and laptops. Windows Hello for Business is a more secure version of Windows Hello, which many individual and home users are familiar with.
Windows Hello uses facial recognition or fingerprint matching to provide fully integrated biometric authentication. It uses a combination of infrared (IR) cameras and software to enhance accuracy and thwart spoofing attempts.
Why is a PIN better than a password?
Windows Hello in Windows 10 allows users to sign in to their device using a PIN.
On the face of it, a PIN can also be a bunch of numbers and alphabets similar to a password.
So why is a PIN better than a password?
PIN is tied to the device: Unlike an online password, a Hello PIN is tied to a specific device. So, if someone steals your PIN, they would also have to snitch your physical device to sign in to your account.
PIN is local to the device: A PIN is not stored on the server. When you create a PIN on your device, it forms a trusted relationship with the identity provider (in this case, you) by creating an asymmetric key pair. Each time you enter your PIN, the authentication key is unlocked, and the key is used to sign the request via the authentication server.
PIN has hardware support: The Hello PIN has another layer of hardware security in the form of a chip called Trusted Platform Module (TPM), which has several physical security mechanisms that make it resistant to tampering.
Windows Hello vs Windows Hello for Business
Windows Hello is basically for individuals and home users. For enterprises, Microsoft offers a more relevant solution called Windows for Business. Teams of all sizes can benefit from Windows for Business, which provides increased efficiency, security, and integration.
Here are the differences between Windows Hello for Business vs Windows Hello:
|Windows Hello||Windows Hello for Business|
|Sign-in||Individuals can create PIN or biometric gestures on their own devices for sign-in||Configured through Group Policy, or mobile device management (MDM)|
|Authentication||This configuration is referred to as Windows Hello convenience PIN. It’s not backed by asymmetric or certificate-based authentication.||Windows Hello for Business always uses key-based or certificate-based authentication.|
|Security||Windows Hello reduces the possibility of keyloggers, or password phishing, but the login process may still use your password hash.||It’s significantly more secure than Windows Hello|
Windows Hello for Business Setup
Microsoft has two main methods to set up Windows Hello for Business: Cert-Trust and Key-Trust.
We are going to look at the Key-Trust (or the Hybrid Key Trust) Windows Hello for Business setup method here.
Follow the instructions below to set up Windows Hello for Business step by step.
Hybrid environments are distributed systems that allow organizations to use on-prem and Azure-based identities and resources.
In Windows Hello for Business, the existing distribution system is a foundation that enables organizations to provide two-factor authentication for a single sign-in. These technologies were built on distributed systems that involved multiple pieces of on-prem and cloud infrastructure, including:
- Public Key Infrastructure
- Directory Synchronization
- Multifactor authentication
- Device Registration
To deploy Hybrid Key Trust, your organization has to register its domain joined devices to the Azure Active Directory.
To initiate Windows Hello for Business provisioning, allow access to the URL account.microsoft.com. This launches the next steps in the provisioning process and helps complete the process.
You need to check if the following distributed technologies that need to be configured exist in your current infrastructure:
- Active Directory
- Public Key Infrastructure
- Azure Active Directory
- Multifactor Authentication Services
To deploy a simple public key infrastructure suitable for a lab environment, use Enterprise Admin equivalent credentials to sign in on Windows Server 2012 (or a later server) where the certificate authority will be installed.
- Open an elevated Windows PowerShell prompt
- Use the following command to install the Active Directory Certificate Services role
add-windowsfeature adcs-cert-authority -IncludeManagementTools
- Use the following command to configure Certificate Authority using a basic certificate authority configuration
Next, create an Azure AD tenant process for provisioning an Azure tenant for your organization.
After configuring your Azure MFA settings, review how to require two-step verification for a user.
Configure Directory Synchronization
Hybrid Windows Hello for Business deployment requires both a cloud and an on-prem identity to authenticate and access resources.
Synchronize the on-prem Active Directory with Azure Active Directory. First, review the Integrating on-prem directories with Azure Active Directory and hardware and prerequisites. Then download the software.
If the user principal name (UPN) in your on-prem Active Directory is different from the UPN in Azure AD, take the following steps:
- Configure Azure AD Connect to sync the user’s on-prem UPN to the
onPremisesUserPrincipalName attribute in Azure AD.
- Add domain name of on-prem UPN as a verified domain in Azure AD.
In the Select your scenario based on your identity infrastructure section, identify your configuration (Managed environment or Federated environment) and perform steps applicable to your environment.
The configuration for Windows Hello for Business is grouped in the following four categories:
- Active Directory
- Azure AD Connect
- Public Key Infrastructure
- Group Policy
Provisioning begins immediately after the user signs in and after the user profile gets loaded, but before the user receives their desktop.
Validate if the computer has processed device registration. A ‘Yes’ will appear in the User device registration logs where the check Device is Azure Active Directory-joined (AADJ or DJ++).
Windows Hello for Business provisioning starts with a full-screen page. Click Set up a PIN.
The provisioning flow proceeds to Multi-Factor authentication. Provisioning informs the user that it is actively attempting to contact them through their configured form of Windows Hello for Business MFA. The provisioning process won’t move forward until authentication succeeds, fails, or times out.
A failed or timeout MFA leads to an error, and the user is asked to retry.
After a successful MFA, the provisioning flow asks the user to create and validate a PIN that meets the environment’s complexity requirements.
Windows Hello for Business requests an asymmetric key pair for the user. Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.
When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign in.
Windows Hello for Business – Costs
Before we come to the Windows Hello for Business cost, it’s worth noting that Windows Hello for Business is part of the Azure Active Directory (Azure AD), which, in turn, is now part of Microsoft Entra.
Let’s break this down.
Microsoft Entra was launched on 31 May 2022 and includes a suite of identity and access products, one of which is Azure AD.
Now, it might take a while to wrap one’s head around the full scope and scale of Microsoft Entra, considering it’s a recently launched group of packaged Microsoft products, but Azure AD has been around for some years.
As far as Windows Hello for Business is concerned, you can access it if you have Azure AD.
Azure AD is available in four editions:
- Azure AD Free
- Office 365
- Azure AD Premium P1
- Azure AD Premium P2
As is clear from the above graphic, all four editions of Azure AD include Windows Hello for Business.
So, if you want to avail the benefits of Windows Hello for Business, you can even do that for no cost. But you’ll have to figure out if your organization needs to leverage the benefits that come with Azure AD Premium P1 and Azure AD Premium P2, both of which have a monthly user per cost.
Windows Hello for Business Deployment Guide
To deploy Windows Hello for Business, find out which deployment method is suitable for your organization. You can determine this by using the Passwordless Wizard in the Microsoft 365 admin center or the Planning a Windows Hello for Business Deployment guide. You now have all the information you need to deploy Windows Hello for Business.
Certain baseline infrastructure is needed for the deployment, both on-premises, and hybrid. The minimum requirements are:
- A well-connected, functioning network
- Internet access
- Multi-factor Authentication during provisioning
- Proper name resolution
- Active Directory and an adequate number of domain controllers
- Active Directory Certificate Services 2012 or later
- Workstation computers running Windows 10, version 1703 or later
- Ensure the appropriate server operating system is installed with the latest patches and joined to the domain if you are installing a server role for the first time
Deployment and trust models
Windows Hello for Business has three deployment modelsL
- Azure AD cloud only
Hybrid has three trust models:
- Key trust
- certificate trust
- and cloud trust
On-premises deployment models only support certificate trust and Key trust.
Hybrid deployments are for organizations that use Azure AD. On-premises deployments are for organizations that exclusively use on-premises Active Directory.
For environments using Azure AD, it is mandatory to use hybrid deployment models for all domains in that domain forest.
The type of trust model determines how users will authenticate to the on-prem Active Directory:
|Type of Model||Description|
Windows Hello for Business – Licensing
Windows Hello for Business usually does not come as a stand-alone licensing solution. Your organization can access it through Azure AD.
As we’ve seen above, Azure AD comes in 4 editions: Azure AD Free, Office 365, Azure AD Premium P1, and Azure AD Premium P2. Of these, the first two are free of charge. All four editions of Azure AD have Windows Hello for Business.
- Azure AD Premium P1 costs US$6 /user/month
- Azure AD Premium P2 costs $9 /user/month
Windows Hello for Business – Authentication Methods
As we’ve seen earlier, Windows Hello is meant for consumers and home users, while Windows Hello for Business is an enterprise version which is slowly but surely taking the business world towards a passwordless future.
In general, there are 4 Windows Hello for Business authentication methods.
Windows Hello uses three methods:
- Facial recognition (Biometric)
- Fingerprint (Biometric)
Windows Hello for Business takes this a step further by using a PIN code backed by an asymmetric pair of keys or certificate-based authentication.
Let’s look at the key features of each:
- A Microsoft Windows Hello Login Personal Identification Number or PIN is an easy-to-remember code and usually has four digits (though some organizations allow other combinations).
- If someone knows your PIN, they can get access to only that specific computer. The PIN cannot unlock your Microsoft account on any other computer.
- The PIN is necessary before setting up biometrics and is backed by the Trusted Platform Module (TPM) chip.
- Windows Hello facial authentication uses a specially configured camera to authenticate and unlock Windows 10 devices and unlock your Microsoft Passport.
- Enterprise-grade authentication plus access to Microsoft Passport Pro supported content is provided.
- Provides a consistent image (using InfraRed) in different lighting conditions, also allowing for subtle changes in appearance.
- If your laptop has a fingerprint reader, it is typically located below the right side of the keyboard or next to the display.
- Fingerprint authentication is attractive because of its simplicity. You just have to press your finger on the reader to access your system.
- Since your fingerprints are unique to you, it’s a secure way to log in to your computer.
Key or certificate-based authentication
- Windows Hello for Business credentials are based on a certificate or asymmetrical key pair and can be bound to the device.
- Identity providers (such as Azure AD) validate user identity and map the Windows Hello public key to a user account during registration. Keys may be generated in hardware or software
- Authentication is the two-factor authentication, a combination of a key or certificate tied to a device and PIN or biometrics. The Windows Hello gesture is not shared with the server and does not roam between devices.
Windows Hello for Business FAQs
“What is Windows Hello for Business used for?”
Windows Hello is the most widely known biometric authentication scheme supported by Windows. It enables Windows 10 users who have devices with fingerprint readers or special cameras to log in through fingerprint or facial recognition. Windows Hello for Business is part of the Microsoft passwordless strategy. More and more companies see the value in setting up Windows Hello for Business.
“Is Windows Hello for Business considered MFA?”
The Windows Hello for Business key meets the multi-factor authentication (MFA) requirements for Azure AD. It reduces the number of MFA prompts that users see when accessing resources.
“Does Windows Hello for Business require Azure AD?”
Device registration is a prerequisite for cloud and hybrid Windows Hello for Business deployments. A user won’t be able to provision Windows Hello for Business till the device from which they are attempting to provision has registered with Azure AD.
“Does Windows Hello for Business require Intune?”
Windows Hello for Business can be configured using Group Policy or an MDM like Microsoft Intune, which is a cloud-based service focused on mobile device management (MDM) and mobile application management (MAM).
“What is Windows Hello and do I need it?”
Windows Hello is a way to sign in to your Windows 10 device. It is more secure than a password as it uses biometric authentication. You can sign in via facial or fingerprint recognition. You don’t have to use Windows Hello on your Windows 10, but this is the future of accessing computers and devices.
You now know what Windows Hello for Business is, how it will help your organization, how to enable Windows Hello for Business, and its licensing mechanism.
But Windows Hello for Business is not just a new and smart way to authenticate identities and enhance security. It is, in fact, a powerful agent of change that is taking enterprises and organizations away from the somewhat problematic past of passwords to a more secure future.
No wonder 92% of businesses believe going passwordless is the future.
But change, even change for the better, can be anxiety-inducing. That’s where Amaxra comes in. Our experts will ensure that you get the best possible guidance on Windows Hello for Business customized to your organization’s specific needs.
Contact me at firstname.lastname@example.org or call 425 708 8841 if you have any questions or comments on this blog.
Limited time offer: Let Amaxra manage your Office 365 licensing and we will configure security such as multi-factor authentication at no additional cost. Email email@example.com or chat with us on this website to find out more.