How to Enable Windows Hello for Business
In this article, I’m going to show you how to enable Windows Hello for Business.
You should enable Windows Hello for Business to reduce the risk associated with passwords. Even if your users’ devices don’t have hardware that supports Windows Hello, like a fingerprint reader, you can still have them use a PIN to login.
Enabling Windows Hello for Business involves 3 steps. First you turn on Windows Hello for Business in Microsoft Endpoint Manager (MEM). Then you can configure any additional settings, like requiring devices to have a Trusted Platform Module (TPM). Finally, you assign the Windows Hello policy to a configuration profile.
What is Windows Hello for Business
Windows Hello for Business is a solution in modern versions of Windows. It lets users securely log into Windows and websites using a PIN or biometric gesture, like a fingerprint or facial recognition. When you enable Windows Hello for Business, you enhance your organization’s security
Microsoft says that PINs are more secure than passwords. Because the PIN is associated with the device only. And unlike passwords, Windows Hello PINs cannot be used on other devices. So, the PIN is useless to a hacker should it be discovered.
You can enable Windows Hello for all users from the Endpoint Manager Admin Center as shown here.
- Click on Devices and under Device enrollment, click Enroll devices.
- On the next window, select Windows Hello for Business.
3. On the Windows enrollment screen, set the value of Configure Windows Hello for Business to Enabled. You can also set the other options as per your organization’s needs, like requiring a TPM or setting PIN requirements.
You can also enable Windows Hello for specific users or groups. To assign your Windows Hello policy to specific users or groups:
- Go to the Endpoint Manager Admin Center and go to Devices > Configuration Policies > Create Profile.
- In the profile options, select the values as needed. Here, we have created a policy to be applied on Windows 10 and later OSes, and the template is ‘Identity protection’.
3. On the next window, select the users or groups to which this policy will be applied. And you must also select the conditions which will trigger this policy.
And that is it! Now you have enabled Windows Hello for Business for the users and groups you selected in your configuration profile.
FAQs
Can I enable Windows Hello for Business on Windows 11 Home edition?
Windows Hello for Business is primarily designed for enterprise environments and requires Windows 11 Pro, Enterprise, or Education editions. To enable Windows Hello for Business on these editions, you’ll need to upgrade from Home edition first.
What happens if I can’t enable Windows Hello for Business due to hardware limitations?
If you’re unable to enable Windows Hello for Business due to hardware constraints, you can still implement basic Windows Hello features like PIN authentication. However, to fully enable Windows Hello for Business with biometric capabilities, you’ll need compatible hardware.
Does Windows Hello for Business work with Remote Desktop connections?
Yes, but only when the client, the host, and your infrastructure meet the following requirements:
- OS support – Client and target must run Windows 10 1607 or later (or Windows Server 2016/2019/2022) and be in the same AD forest or Azure AD tenant.
- Credential flow – Enable Remote Credential Guard (preferred) or ensure the connection uses Kerberos/PKU2U rather than NTLM.
- Policy setting – Turn on Use Windows Hello for Business credentials for remote sign‑in via Group Policy or Intune.
- RDP client – Use Microsoft’s built-in Remote Desktop client (mstsc.exe or the Windows Store app). Third‑party clients rarely support WHfB today.
When those conditions are satisfied, the user authenticates to the remote PC with the same PIN or biometric gesture they use locally, and their private key never leaves the device.
What other sign-in methods will be available after I enable Windows Hello for Business?
By default, users can still fall back to passwords, smart‑cards, and (if configured) FIDO2 security keys or Microsoft Authenticator. Administrators can tighten this posture:
- Disable password sign‑in with the Enable passwordless experience policy (Windows 10 2004/11 and newer).
- Enforce biometrics only by requiring compatible hardware and disabling PIN fallback.
- Combine factors (e.g., FIDO2 + PIN) for higher assurance scenarios.
Can I enable Windows Hello for Business in a hybrid cloud environment?
Absolutely. Microsoft supports three hybrid deployment models:
- Key Trust – Easiest to set up; requires Azure AD Connect and 2016‑level DCs.
- Certificate Trust – Adds a Microsoft AD CS or third‑party PKI and (optionally) AD FS; still widely used for smart‑card parity.
- Cloud Kerberos Trust – Newest/leanest; no on‑prem PKI, but requires 2022‑patch‑level DCs (KB 5010414+) and Azure AD Kerberos.
Pick the model that matches your existing infrastructure, confirm device TPM‑2.0 support, and roll out via Group Policy, Intune, or MEMCM.
Related Article:
