How to set up Windows Hello for Business for cloud-only devices
If you’ve ever set up a Windows 10 PC, you’ll know that at one point during the out-of-box-experience you will be prompted for Windows Hello set up. Most of the time you can configure biometric authentication (fingerprint sensor or IR scan) to unlock your device, and as a back up you’ll also need to create a PIN (check out this article from Microsoft Why a PIN is better than a password). What you may not know is that for your personal device, configuring the “Windows Hello convenience PIN” is not backed by asymmetric (public/private key) or certificate-based authentication. Like the name suggests, it’s for convenience. That’s where Windows Hello for Business steps in.
Windows Hello for Business always uses key-based or certificate-based authentication. Windows Hello for Business is effectively multi-factor authentication into your PC, every time you log in. The multi-factor part comes from a combination of a key or certificate tied to a device and something that you know (a PIN) or are (biometrics). There are a lot of key points on Windows Hello for Business that you can find here, but suffice it to say that enabling Hello for Business within your organization is a great first step towards increasing your security posture.
First off – the good news. If your organization is only using Azure AD (instead of Hybrid Azure AD), you’re most likely already set up to use Hello for Business. According to this docs article, for organizations that use Azure AD as part of O365: “When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature.” Likewise, organizations that use the free version of Azure AD with automatic domain join enabled will also be provisioned for Hello for Business, and any organization that is using Azure AD Premium can even enforce Hello for Business.
We’ll be focusing on Cloud-only devices. I’ll walk through all of our options for enabling Hello for Business as part of a tenant that has Azure AD Premium & Intune enabled. There is a lot more planning & configuration that goes into a Hybrid Windows Hello for Business deployment, but all of those scenarios are covered by the Microsoft Docs.
For more clarity, we’ll be using a key based Hello for Business implementation instead of certificate based. As part of the the built-in Windows Hello for Business set up during the Windows 10 out-of-box-experience, a hardware bound asymmetric key pair is created as the user’s credentials. The private key is protected by the device’s security modules (TPM chip); however, the credential is a user key (not a device key). The provisioning experience registers the user’s public key with the identity provider (in our case, Azure Active Directory). As far as I can tell, feature-wise the only downside to not using a cert based deployment is that Hello for Business credentials won’t be supported over RDP (although I’m sure most organizations are fond of their PKI and want to use it).
Let’s start with the easiest setting. If you open the Azure portal and open Devices > Device settings, there is an option that Users may join devices to Azure AD.
If this option is enabled, users can create a Windows Hello for Business profile when they join their devices to Azure AD (either through the settings pane or during the out-of-box experience). With nothing else configured, the end user will see Your organization requires Windows Hello (this happens after the user profile is created, right after “This might take several minutes”):
Because my user had already been signed up for Azure MFA, they’ll receive an MFA login prompt to verify their identity:
Once verified, I’ll be prompted to set up a PIN:
Now, you may have noticed that there’s an option to close that popup prompt (click the X) when I verify my identity… which we can do, and then skip the Windows Hello for Business configuration. (If you try this during the Set up a PIN prompt, you’re too late, it won’t let you skip Hello for Business then.)
As far as I can tell, there is no way force sign-up for Windows Hello for Business. Let me know in the comments if I’ve overlooked something!
What we can do is use Intune to enable additional features for Hello for Business sign-up. Head over to the Microsoft Endpoint Manager admin center and select Devices > Windows > Windows Enrollment > Windows Hello for Business:
Here is where we configure the first set of Hello for Business policies, which apply to the entire tenant. These are the settings that apply during the out-of-box experience, so you’ll want to configure it here if you plan on leveraging Windows Hello for Business as part of your Autopilot deployment. Once you click Enable, you see the following options:
For my own configuration, I set Use a Trusted Platform Module (TPM) to Enabled, and Use security keys for sign-in to Enabled (this second option is what allows passwordless sign-in with FIDO2 keys). Once you’ve enabled the settings appropriate for your organization, go ahead and click Save.
Now, taking a device through the out-of-box-experience (OOBE), we’ll see the pin settings we configured during the out-of-box-experience Windows Hello for Business set up:
Since I’m using a virtual machine, I wasn’t prompted for biometric authentication, but that would also occur during OOBE. I also wasn’t prompted to configure phone sign in – this is because although my user is registered for MFA, they need to be registered to use the Microsoft Authenticator app (and I had set up an alternative app). The FIDO key, on the other hand, can actually be used immediately (assuming you set it up as part of MFA registration). Even though it wasn’t set up as part of OOBE it will show on the lock screen:
For the most part – that is all the configuration we need! I mentioned earlier that the settings before were tenant wide. If you’re interested in configuring Windows Hello for Business and targeting specific groups or users, you’ll need to create Device Configuration or Endpoint Security policies. For a quick rundown, here are the Windows Hello for Business specific settings available in Windows 10 Identity Protection:
And Endpoint Security Account Protection:
And finally, the Endpoint Security Security Baseline:
Now we’ve really covered all of the settings for cloud-only key-based Windows Hello for Business set up. Start enabling your users for Hello for Business and improving their sign-in experience! 🔑