
close
close
Security threats keep coming! Learn how to protect your organization.
In this Ask the Admin, I’ll show you how to set up Windows Hello for Business using Microsoft Intune.
Previously known as Microsoft Passport for Work, Windows Hello for Business replaces passwords with two-factor authentication: one factor being a key or certificate that’s bound to the device, and the second a gesture, such as a PIN or biometric authentication stored locally on the device. For more information on Windows Hello for Business, see Introduction to Windows Hello for Business on the Petri IT Knowledgebase.
Sponsored Content
GET-IT Microsoft Cloud Security and Compliance 1-Day Virtual Conference
Join Microsoft MVPs and industry experts as they dive into policy considerations you need to make when creating and managing guest user access to your Teams network and more.
Learn More
Windows Hello for Business provisions keys or certificates for users, effectively replacing their domain passwords. By default, Windows Hello credentials are based on an asymmetrical key pair that’s bound to the device and mapped to the user’s AD account during the registration process. Windows Hello for Business also supports certificate-based credentials for organizations that have a Public Key Infrastructure (PKI) in place.
But it’s possible to log in to Windows with a domain account using a convenience PIN if enabled in policy. It’s important to note that convenience PINs provide an encrypted wrapper for domain passwords that is cached on the local device when users sign in.
In the following example, I have user accounts in Azure Active Directory (AD) and Microsoft Intune is used for managing devices. Before you can complete the instructions, you’ll need both an Intune account and Azure Active Directory (Premium) subscription. You’ll also need a Windows 10 device that is already enrolled with your Intune tenant.
For more information on enrolling Windows 10 with Intune, see Microsoft Intune: Windows 10 Device Enrollment on the Petri IT Knowledgebase. Windows Hello for Business policy can also be configured using Active Directory Group Policy instead of an MDM solution.
Configure an MDM policy for Windows Hello for Business (Image Credit: Russell Smith)
For the purposes of this lab, I’ll accept all the default settings. But as you can see, Windows Hello for Business settings can be configured. For instance, you can modify the minimum and maximum required PIN length, and enable or disable biometric authentication. Accept the default settings by clicking Save at the bottom of the portal windows.
Once the Windows Hello for Business MDM policy is configured in Intune, users already working with enrolled devices will be prompted to set up a PIN via the automatic provisioning process. Users logging into VMs via Remote Desktop Services won’t be prompted automatically and need to set up a PIN manually:
If you haven’t already confirmed your identity on the device, you’ll be prompted to do so using one of several methods. In the instructions that follow, I’ll confirm my identity using an SMS sent to my mobile.
Set up a PIN and verify your identity (Image Credit: Russell Smith)
Verify your identity (Image Credit: Russell Smith)
In this article, I showed you how to set up Windows Hello for Business using Microsoft Intune.
More in Security
Microsoft Defender for Individuals is Now Available on Desktop and Mobile
Jun 16, 2022 | Rabia Noureen
Why You Should Restrict Access to Office 365 Using Microsoft Conditional Access Policies
Jun 15, 2022 | Liam Cleary
Researchers Discover New Symbiote Linux Malware Targeting Financial Institutions
Jun 10, 2022 | Rabia Noureen
Most popular on petri