Comparing Windows Hello vs. Windows Hello for Business

What is Windows Hello?

Windows Hello is a secure authentication method built into Windows OSes. It enables users to sign into their desktops more easily and securely than with traditional passwords because it enables authentication via PIN or biometric gesture. Windows Hello binds the user's credentials to the device and stores the credential data on the device. The data is never collected by servers, nor does it ever leave the device.

Windows Hello credentials cannot be used by anyone who does not have physical access to the device, helping to protect the system from network attacks, such as phishing, spoofing or replay. Windows Hello also lets users turn off password usage altogether. If this option is enabled, only a Windows Hello sign-in option can be used to access device features that require the user's Microsoft account and password, including apps and web browsers.

Windows Hello supports the following three sign-in options:

1. Facial recognition. An identity verification mechanism that's integrated into Windows Biometric Framework. It requires a camera that is specifically configured for near-infrared imaging, which provides greater consistency across different ambient lighting than traditional facial recognition systems. The sensor must have a false accept rate (FAR) of less than 0.001%. If the camera does not have antispoofing or liveness detection, it must also have a false reject rate (FRR) of less than 5%. If it does have either of these features, it must have an FRR of less than 10%.
2. Fingerprint recognition. An identity verification mechanism that uses a capacitive fingerprint sensor to scan a user's fingerprints. The process requires a supported fingerprint reader to carry out the authentication process. Sensors can be different shapes and sizes, which means that the FAR and FRR requirements can vary. For example, a swipe sensor must have a FAR less than 0.002% and an effective, real-world FRR of less than 10% if the sensor includes antispoofing or liveness detection.
3. PIN. A nonbiometric authentication method that is bound to the Windows computer and backed by the Trusted Platform Module (TPM) chip, which is a secure, tamper-resistant crypto processor. A user's PIN can be between 4 and 127 characters and can contain a combination of letters, numbers and special characters. However, the use of letters and special characters isn't enabled by default.

Desktop administrators can easily set up Windows Hello by using the Settings app that comes with the Windows OS. There, they can choose a sign-in option and configure other settings. To use either of the biometric options, the computer must be equipped with a compatible infrared camera or fingerprint scanner. If neither type of sensor came with the computer, users can opt for a compatible external device that is physically connected to a USB port.

What is Windows Hello for Business?

Windows Hello for Business extends Windows Hello by adding stricter security and broader management capabilities, including device attestation, conditional access policies, certificate-based authentication and multifactor authentication. The MFA process uses a PIN or biometric gesture, along with a device-specific credential that is tied to Microsoft Entra ID or Active Directory (AD).

Windows Hello for Business relies on multiple technologies that work together to securely authenticate users to their Windows desktop. The process of setting up a user's device with Windows Hello for Business can be broken down into the following five phases:

1. Device registration. The Windows desktop registers with an identity provider, either Microsoft Entra ID or AD. The registration is carried out by Device Registration Service in Microsoft Entra ID or Enterprise Device Registration Service in AD Federation Services (AD FS). After the device has been registered, the identity provider assigns an identity to the device. The identity is used to associate and authenticate the device to the identity provider when the user signs in.
2. Provisioning. After the device has been registered with the identity provider, a policy enables Windows Hello on that device. If all prerequisites are met, Windows Hello for Business launches a Cloud Experience Host window that steps the user through the provisioning process. The user must typically provide a username and password to request a new Windows Hello for Business credential. The user then provides a biometric gesture -- if the device supports biometrics -- and a PIN. The PIN is required even if a biometric gesture is used. After the PIN is created, a public/private key pair is generated. The public key is registered with the identity provider and mapped to the user's account.
3. Key synchronization. This phase is required only for Microsoft Entra hybrid deployments. It ensures that the user's public key is synchronized from Entra ID to AD. Microsoft Entra Connect Sync, which handles the synchronization, writes the key to the msDS-KeyCredentialLink attribute of the user object in AD.
4. Certificate enrollment. This phase is required only for certificate-based authentication. After registering the key, the client sends a certificate request to Certificate Registration Authority on the AD FS server. The server validates the request and fulfills it using the organization's public key infrastructure, which issues a certificate to the user.
5. Authentication. The user signs in with the registered PIN or biometric gesture. The private portion of the Windows Hello for Business credential is used to authenticate the user. The identity provider validates the user by mapping the user's account to the public key registered during the provisioning phase. If the identity provider can verify the user's identity, it authenticates the user.

Administrators can configure Windows Hello for Business with an MDM platform. For devices not managed by an MDM platform, they can use Group Policy. Administrators should avoid using both MDM and Group Policy to manage Windows Hello for Business. Because Windows Hello for Business is a distributed system, its implementation and management should be carefully planned.

Whenever possible, Windows Hello for Business takes advantage of each system's TPM to generate and protect security keys. Although administrators can override this behavior by permitting software-based key operations, Microsoft recommends that they use the TPM because it protects against a wider range of threats, including brute-force attacks on the PIN.

Windows Hello vs. Windows Hello for Business

Windows Hello and Windows Hello for Business both help to simplify the Windows authentication process, and the differences between these two services are not always clear. This can make it difficult for decision-makers to know whether they should opt for Windows Hello for Business in their organizations or just stick with Windows Hello. However, IT leaders can learn the differences with these five specific categories as a rubric.

Windows Hello for Business primarily targets larger organizations that centrally manage their users and computers and use Microsoft Entra ID or AD for their identity and access management.

Windows Hello target users

Windows Hello is intended for personal use or for smaller organizations that don't centrally manage their computers. In either case, end users typically configure the service themselves. They must launch the Settings app and select the necessary options. Windows Hello is available to any user who is working on a nonmanaged Windows 10 or Windows 11 computer. It could also be available on a managed computer if Windows Hello for Business has been disabled.

Windows Hello for Business primarily targets larger organizations that centrally manage their users and computers and use Microsoft Entra ID or AD for their identity and access management. Windows Hello for Business is fully integrated with Entra ID and AD, and a computer must be registered with one of these services to use Windows Hello for Business.

Authentication with Windows Hello

When enabling Windows Hello, users must first authenticate to their Microsoft accounts or to an identity provider that supports Fast Identity Online (FIDO) 2 authentication. Users can also authenticate to a local account, but this approach doesn't offer the same level of security because it's not backed by an asymmetric key.

With Windows Hello for Business, users must authenticate to AD, Microsoft Entra ID or an identity provider that supports FIDO2. Authentication is a multiphase operation that relies on numerous technologies working together to ensure a smooth and secure sign-on process. Authentication occurs only after the device has been registered with the identity provider and receives the necessary credentials.

Security features that Windows Hello offers

Windows Hello uses key-based authentication that is tied to the TPM. This approach is more secure than traditional passwords because the PIN cannot be stolen from a server or phished from the user and used remotely. However, Windows Hello does not support certificate-based authentication or certain advanced security features.

Windows Hello for Business enables key-based or certificate-based authentication. It provides two-factor authentication based on the following formula: something you have -- private key protected by the TPM -- plus something you know -- such as a PIN -- or something that is part of you -- a face or fingerprint. In addition, Windows Hello for Business supports advanced security features, such as device attestation and conditional access.

Special configurations with Windows Hello

With Windows Hello, end users typically set up the service themselves. They should launch the Settings app and go to Accounts > Sign-in options, where they can choose the type of authentication they want and set several other options. Beyond that, there are no special preparations they need to take. However, if they want to use one of the biometric sign-in options, the system must have an infrared camera or fingerprint sensor available.

In contrast, Windows Hello for Business is centrally managed by IT administrators, often using an MDM platform, such as Intune, ManageEngine or SOTI MobiControl. For example, administrators can use Intune to configure the minimum and maximum PIN length and whether the PIN can contain uppercase letters, lowercase letters or special characters. As an alternative to MDM, administrators can use Group Policy to configure Windows Hello for Business, as long as the devices are joined to AD or Microsoft Entra hybrid.

Windows Hello licensing

Windows Hello is included with all Windows 10 and Windows 11 editions. Users can configure it in the Settings app to get started, keeping in mind that the biometric sign-in options require the necessary facial or fingerprint sensor. Microsoft also recommends that the computer includes a TPM chip to get the fullest protection. Without a TPM, credentials are stored in software, which is not as secure.

Windows Hello for Business is included in the Windows Pro, Education A3 and A5, and Enterprise E3 and E5 editions. Although Windows Hello for Business is not licensed as a separate product, it does require Microsoft Entra ID or AD registration, which can translate to additional licensing costs. The exact licensing structure and costs that go with it depend on how organizations use Microsoft services and what services they already have in place. For example, IT can deploy Windows Hello for Business using the Microsoft Entra ID Free tier, which comes with Microsoft cloud subscriptions, such as Microsoft 365. However, some advanced management features are not available with this tier.

Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.