Endpoint Protection|Microsoft 365|Security

How to Enable Windows Hello for Business

In this article, I’m going to show you how to enable Windows Hello for Business.

You should enable Windows Hello for Business to reduce the risk associated with passwords. Even if your users’ devices don’t have hardware that supports Windows Hello, like a fingerprint reader, you can still have them use a PIN to login.

Enabling Windows Hello for Business involves 3 steps. First you turn on Windows Hello for Business in Microsoft Endpoint Manager (MEM). Then you can configure any additional settings, like requiring devices to have a Trusted Platform Module (TPM). Finally, you assign the Windows Hello policy to a configuration profile.

What is Windows Hello for Business

Windows Hello for Business is a solution in modern versions of Windows. It lets users securely log into Windows and websites using a PIN or biometric gesture, like a fingerprint or facial recognition.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Microsoft says that PINs are more secure than passwords. Because the PIN is associated with the device only. And unlike passwords, Windows Hello PINs cannot be used on other devices. So, the PIN is useless to a hacker should it be discovered.

You can enable Windows Hello for all users from the Endpoint Manager Admin Center as shown here.

  1. Click on Devices and under Device enrollment, click Enroll devices.
  2. On the next window, select Windows Hello for Business.


3. On the Windows enrollment screen, set the value of Configure Windows Hello for Business to Enabled. You can also set the other options as per your organization’s needs, like requiring a TPM or setting PIN requirements.

You can also enable Windows Hello for specific users or groups. To assign your Windows Hello policy to specific users or groups:

  1. Go to the Endpoint Manager Admin Center and going to Devices > Configuration Policies > Create Profile.
  2. In the profile options, select the values as needed. Here, we have created a policy to be applied on Windows 10 and later OSes, and the template is ‘Identity protection’.


3. On the next window, select the users or groups to which this policy will be applied. And you must also select the conditions which will trigger this policy.

And that is it! Now you have enabled Windows Hello for Business for the users and groups you selected in your configuration profile.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Vignesh hails from the city of Pune in India. He has been working in the IT industry for the past 10 years. His main areas of focus are Microsoft 365, Exchange Online, PowerShell, Teams, SharePoint, Microsoft 365 Security. Follow him on Twitter for the latest on Microsoft 365 @vignesh_mudliar and www.linkedin.com/in/vignesh-mudliar-86570915b
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: