TechTarget.com/searchenterprisedesktop

https://www.techtarget.com/searchenterprisedesktop/tip/How-to-navigate-the-Windows-Hello-for-Business-requirements

How to navigate the Windows Hello for Business requirements

By Gary Olsen

Authentication services are critical to any organization to establish a baseline of protection against cyberthreats such as malware and ransomware, so many organizations look for services such as Windows Hello for Business to provide OS-level security.

While it isn't a one-size-fits-all approach to security, Windows Hello for Business can be a crucial tool for IT administrators to employ alongside other security services. Before organizations jump to deploy this service, however, they must determine if they meet the requirements for Windows Hello for Business.

What are the requirements for Windows Hello for Business?

Windows Hello for Business itself is included in Windows licenses, including Windows Pro, Windows Enterprise E3 and E5, and Windows Education A3 and A5. The additional cost comes from employing identity and management infrastructure, such as Microsoft Entra ID and Intune.

Windows Hello for Business is also accessible through a Microsoft 365 E3 or E5 subscription. Thus, the cost for Windows Hello for Business comes from Entra ID P1 or P2, which is included in some Microsoft 365 subscriptions. Note that Entra ID also has a no-cost tier, appropriate for small teams or consultants.

For comparison, Windows Hello is included in Windows 10 and 11 at no additional cost.

What features does Windows Hello for Business offer?

Authentication software provides several important services to the enterprise, including the following:

• User identity and verification prior to obtaining authorization to access company resources. Commonly referred to as User Access Control, it provides advanced access control for user access to devices.
• Password management and security services, including password managers, such as LastPass, 1Password and built-in managers, such as the one offered in Chrome.
• Security threat reduction by providing initial frontline security filters. Even in an SMB that doesn't have budgeting for expensive authentication services, there are basic products that provide at least a cursory level of protection.
• Advanced security, including multifactor authentication (MFA), policy-based conditional access and single sign-on (SSO). This can move organizations toward a passwordless environment.
• Regulatory compliance and legal requirements. This is achieved through products with policy-based rules enforcement.

Windows Hello is set up on each device by configuring options shown in Figure 1. In Windows 10 or 11, go to Settings > Accounts > Sign-in Options. This permits Windows Hello to configure the following:

• Facial recognition.
• Fingerprint recognition.
• PIN.

Facial and fingerprint recognition are limited to devices with proper device hardware. For instance, the camera must be compatible with Windows Hello. Windows Hello also does not provide support for SSO, MFA, web and cloud services, or conditional access and policies.

Windows Hello is time-consuming to set up, configure and maintain for more than a few devices compared to using the bulk management that comes with Windows Hello for Business. Thus, Windows Hello for Business is the tool of choice for large organizations. Windows Hello for Business is available in the Azure and Intune tool and is used to manage all cloud configured desktops.

Windows Hello for Business also supports several enterprise critical services and features, including the following:

• Conditional Access policies.
• A cloud-based central platform for identity management to manage users, apps and policies. For instance, IT can centrally manage policies for PIN length, biometric types, expiration and more.
• Support for web, Windows, cloud services and third-party authentication.
• All authentication methods provided by Windows Hello, plus some methods not provided by the basic version, including MFA and SSO. This includes the Microsoft Authenticator application for mobile devices and SMS.

Windows Hello for Business deployment options

Since Windows Hello for Business is the only valid Microsoft authentication tool for business environments, organizations must review the different requirements before deploying this technology.

The deployment options for Windows Hello for Business include cloud-only, on-premises and hybrid. The model that IT selects should depend on how the organization manages authentication, identity and devices. Use the following descriptions to determine which model fits the business needs of the organization.

Cloud-only deployment with Entra ID

This option is designed for organizations that have devices joined only to Entra and have limited or no on-premises infrastructure. Intune is typically the most straightforward option for management. These devices are all joined only to the Entra infrastructure and only access cloud resources, such as SharePoint Online and OneDrive (Figure 2).

On-premises Active Directory deployment without Entra ID

For organizations that have non-Entra ID access and do not have cloud services, the on-premises deployment model is the best option. Devices are joined only to the on-prem Active Directory (AD) infrastructure. These clients use on-premises applications and usually require SSO for access.

Hybrid deployment with Entra ID and on-premises AD

The hybrid model is ideal for the enterprise with devices in both the traditional on-premises AD and cloud services. In this case, devices are joined to the on-prem Entra and registered with Entra ID. They use applications registered in Microsoft Entra ID and typically want an SSO platform to seamlessly access resources in both environments.

Infrastructure support options for Windows Hello for Business

Whether the organization uses on-premises, cloud-only or hybrid deployment models, Windows Hello for Business can work with the existing Microsoft Entra or AD infrastructure. In addition, in the case of on-premises AD deploying a legacy public key infrastructure (PKI), the IT staff should consider the key trust and cloud trust models for improved efficiency without compromising security.

This table compares features and components of the three deployment models.

Key feature	Cloud-only	On-premises	Hybrid
Directory	Entra ID only	On-premises AD only	On-prem AD and Entra ID
Infrastructure	No on-premises AD domain controller (DC), no PKI	On-premises DCs, PKI and partially AD Federation Services (AD FS)	On-premises DC, optional PKI, AD FS or Entra Connect, Entra ID
Windows OS	Windows Server 2016 or later, Windows 10 and Windows 11
Authentication	Entra ID cloud trust or key trust	PKI certificate trust, Entra ID cloud trust, key trust	Key trust or Entra ID cloud trust
Device join type	Entra joined and registered	Legacy AD domain joined	Entra joined, hybrid joined and registered
Cloud dependency	Yes -- complete	None	Partial. This has two environments: one with, one without cloud
Management	Intune	Group Policy, Intune, Configuration Manager	Group Policy, Intune or Configuration Manager
MFA for enrollment	Entra MFA	Required	Entra MFA for cloud environment, on-premises MFA for on-premises devices
Use case	Those with no traditional on-premises AD infrastructure	Those with on-premises policies and no cloud environment	Typically used for older, large enterprises with a large traditional AD environment but moving to cloud AD.

Windows Hello for Business security and policy configurations

Windows Hello for Business offers three trust types to authenticate to AD: cloud trust, key trust and certificate trust. While the trust type determines whether authentication certificates are issued, Microsoft states that no trust model is more secure than another. PKI is just more difficult to deploy and maintain and is not used for cloud deployments. The following are the three trust types:

1. Cloud trust. This is the simplest and fastest authentication -- excellent for cloud but admins can use this for on-premises environments. For cloud devices, there is no need for PKI, enabling users to access on-premises resources without certificates. Note that the Microsoft Entra Kerberos service grants the ticket-granting ticket for the on-premises AD.
2. Key trust. This passwordless authentication uses a key-based credential without certificates. The public key is stored in AD, which uses that key to authenticate the user. This trust is more complex than a cloud trust but simpler than a certificate trust. It is a good fit for hybrid environments, enabling on-premises AD resources to authenticate without a certificate structure.
3. Certificate trust. This is the legacy PKI of on-premises AD, requiring a more complex configuration than key or cloud trust models.

Windows Hello for Business uses Microsoft Intune, Group Policy, third-party MDM providers and Microsoft's Configuration Manager Group Policy or Intune settings. The previous table identifies which tool is needed for each deployment model.

Configurable policies include PIN policies, biometric settings, Trusted Platform Module (TPM), use of convenience PINs and enrollment policies. This also identifies which sign-in options are available.

Windows Hello for Business client requirements

Client requirements for Windows Hello for Business deployment include the following:

• A supported OS -- Windows 10 v1703+ or Windows 11.
• Hardware supporting TPM 1.2 supported; v2.0 recommended.
• A joined state in the AD or Entra ID domain, or both.
• Compatible fingerprint reader and camera requirement for MFA deployment.

Gary Olsen has worked in the IT industry since 1983 and holds a Master of Science in computer-aided manufacturing from Brigham Young University. He was on Microsoft's Windows 2000 beta support team for Active Directory from 1998 to 2000 and has written two books on Active Directory and numerous technical articles for magazines and websites.