Windows Hello for Business is a modern two-factor authentication which replaces password authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello for Business lets the user authenticate to an Active Directory or Azure Active Directory account.
Windows Hello addresses resolve these issues with passwords:
- Since very strong passwords are difficult to remember, and the possibility to reuse the same password on multiple sites often presents itself.
- Server breaches can expose symmetric network credentials (passwords) and
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks or having to write them down due to its complexity.
Windows Hello for Business can be deployed in the following areas
– Cloud, Hybrid and On- Premises environment.
Cloud Deployment: Windows Hello for Business supports with AAD joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices and also works for domain-joined devices.
This moves Organizations beyond security pitfalls of passwords. See video below on it works.
Windows Hello for Business relies on these factors
– Remote Authenticator (Phone, PIN, Unique Identifier, Biometric [Face recognition or fingerprint).
Windows Hello for Business work by default by using MFA (And this can be time-consuming despite very secure as it isn’t a seamless process).
Other Benefits of Windows Hello for Business are
– Provides seamless SSO to Apps and Services.
– When in an unknown location (Network), there is an additional configuration that can be applied which will require Windows will prompt you to authenticate with a different means instead of face recognition.
Prerequisites for Deploying Hello for Business
This depends on your need and I will be discussing all applications (Cloud, Hybrid and On-Premises environment) need.
Hybrid Deployment: For this deployment, here are the needed prerequisites.
- Windows 10, version 1511 or above - Server 2016 schema - Windows Server 2016 or above Domain Controller (DC) - Azure Account - Azure Active Directory - Azure MFA or AD FS with Azure MFA - Subscription: Azure AD Premium
On-Premise Deployment: For this deployment, here are the needed prerequisites.
- Windows 10, version 1511 or above - Server 2016 schema - Windows Server 2016 or above Domain Controller (DC) - ADFS with 3rd party MFA - ADFS with Azure MFA Then an Azure Account will be needed for Azure MFA billing.
Cloud Deployment: For this deployment, here are the needed prerequisites.
- Windows 10 - Microsoft Azure Account - Azure Active Directory - Azure MFA - (Modern Management System -Intune or a 3rd party MDM).This is optional - Azure AD Premium subscription (needed for automatic MDM enrollment when the device joins Azure Active Directory). This is optional as well.
Windows Hello for Business supports these additional features
- Conditional Access: AAD provides options for protecting access to corporate resources. Conditional access provides more fine-grained control over who can access certain resources and under what conditions. This requires AAD.
- Dynamic Lock: Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present.
- PIN Reset: This functionality enables users to recover their forgotten PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
- Remote Desktop with Biometrics: Users with Windows Hello for Business certificate trust can use their credentials to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. This functionality is not supported for key trust deployments. Microsoft continues to investigate supporting this feature for key trust deployments in a future release.