Configure and enroll in Windows Hello for Business in an on-premises key trust model
This article describes Windows Hello for Business functionalities or scenarios that apply to:
- Deployment type: on-premises
- Trust type: key trust
- Join type: domain join
Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:
Configure Windows Hello for Business policy settings
There's 1 policy setting required to enable Windows Hello for Business in a key trust model:
Another optional, but recommended, policy setting is:
You can configure the Use Windows Hello for Business policy setting in the computer or user node of a GPO:
- Deploying the computer node policy setting, results in all users that sign-in to the targeted devices to attempt a Windows Hello for Business enrollment
- Deploying the user node policy setting, results in only the targeted users to attempt a Windows Hello for Business enrollment
If both user and computer policy settings are deployed, the user policy setting has precedence.
To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:
Group policy path | Group policy setting | Value |
---|---|---|
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business or User Configuration\Administrative Templates\Windows Components\Windows Hello for Business |
Use Windows Hello for Business | Enabled |
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business | Use a hardware security device | Enabled |
Group policies can be linked to domains or organizational units, filtered using security groups, or filtered using WMI filters.
Tip
The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see Windows Hello for Business policy settings.
Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
You can determine the status of the prerequisite checks by viewing the User Device Registration admin log under Applications and Services Logs > Microsoft > Windows.
This information is also available using the dsregcmd.exe /status
command from a console. For more information, see dsregcmd.
User experience
After a user signs in, the Windows Hello for Business enrollment process begins:
- If the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
- The user is prompted to use Windows Hello with the organization account. The user selects OK
- The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
- After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
- The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with the IdP to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop
The following video shows the Windows Hello for Business enrollment steps after signing in with a password, using a custom MFA adapter for AD FS.
Sequence diagram
To better understand the provisioning flows, review the following sequence diagram: