How to Enable Windows Hello for Business

In this article, I’m going to show you how to enable Windows Hello for Business.

You should enable Windows Hello for Business to reduce the risk associated with passwords. Even if your users’ devices don’t have hardware that supports Windows Hello, like a fingerprint reader, you can still have them use a PIN to login.

Enabling Windows Hello for Business involves 3 steps. First you turn on Windows Hello for Business in Microsoft Endpoint Manager (MEM). Then you can configure any additional settings, like requiring devices to have a Trusted Platform Module (TPM). Finally, you assign the Windows Hello policy to a configuration profile.

What is Windows Hello for Business

Windows Hello for Business is a solution in modern versions of Windows. It lets users securely log into Windows and websites using a PIN or biometric gesture, like a fingerprint or facial recognition.

Microsoft says that PINs are more secure than passwords. Because the PIN is associated with the device only. And unlike passwords, Windows Hello PINs cannot be used on other devices. So, the PIN is useless to a hacker should it be discovered.

You can enable Windows Hello for all users from the Endpoint Manager Admin Center as shown here.

1. Click on Devices and under Device enrollment, click Enroll devices.
2. On the next window, select Windows Hello for Business.

 

3. On the Windows enrollment screen, set the value of Configure Windows Hello for Business to Enabled. You can also set the other options as per your organization’s needs, like requiring a TPM or setting PIN requirements.

You can also enable Windows Hello for specific users or groups. To assign your Windows Hello policy to specific users or groups:

1. Go to the Endpoint Manager Admin Center and going to Devices > Configuration Policies > Create Profile.
2. In the profile options, select the values as needed. Here, we have created a policy to be applied on Windows 10 and later OSes, and the template is ‘Identity protection’.

 

3. On the next window, select the users or groups to which this policy will be applied. And you must also select the conditions which will trigger this policy.

And that is it! Now you have enabled Windows Hello for Business for the users and groups you selected in your configuration profile.