- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
Windows Hello for Business replaces password-based authentication with device-bound credentials such as a PIN, fingerprint, or facial recognition. These credentials are backed by cryptographic keys stored securely on the device, typically protected by a Trusted Platform Module (TPM), making them more resistant to phishing and credential theft.
In a domain environment, configuring Windows Hello manually on individual machines is not practical. Group Policy allows administrators to define and enforce these authentication settings centrally across all target systems.
What is Windows Hello for Business?
Windows Hello for Business is a modern authentication method that uses asymmetric key pairs instead of passwords. The private key is securely stored on the device (typically protected by a TPM), while the public key is registered with the identity provider.
When a user signs in using a PIN or biometric factor, the device uses the private key to authenticate without sending reusable credentials over the network. This significantly reduces the risk of credential theft and phishing attacks.
Prerequisites
Before configuring Windows Hello for Business using Group Policy, ensure the following requirements are met:
- The domain functional level is Windows Server 2008 R2 or higher (Windows Server 2016 or later is recommended).
- Devices have TPM 2.0 (TPM 1.2 is supported but considered legacy).
- Devices are Microsoft-Entra-ID-joined or hybrid-joined (required for key trust deployments).
- Active Directory Certificate Services (AD CS) is configured if you plan to use certificate trust.
- The Group Policy Management Console (GPMC) is installed (gpmc.msc).
- You have the required permissions to create or modify GPOs (Domain Admin or delegated access).
Once these prerequisites are met, the next step is to choose the appropriate trust model for your environment.
Windows Hello for Business trust models
Windows Hello for Business supports multiple trust models. Choosing the correct model is important because it determines how authentication is validated and which settings must be configured.
Cloud Kerberos trust
- Does not require a traditional PKI infrastructure.
- Uses Microsoft Entra ID and Kerberos for authentication.
- Supports access to on-premises resources without certificates.
- Simplifies deployment compared to certificate trust.
- Recommended for hybrid environments using Microsoft Entra ID.
Key trust
- Does not require user certificates for authentication.
- Requires Microsoft Entra ID (hybrid or cloud join).
- Requires domain controller certificates (PKI) for on-premises authentication.
- Uses TPM-backed key pairs for authentication.
- Recommended for hybrid or cloud-based environments.
Certificate trust
- Requires AD CS.
- Does not require Microsoft Entra ID.
- Uses certificates issued from AD CS.
- Suitable for fully on-premises environments.
Note: Use cloud Kerberos trust or key trust for modern hybrid deployments. Use certificate trust only if your environment is fully on-premises.
After selecting the trust model, proceed with creating and configuring the Group Policy Object (GPO).
Steps to configure Windows Hello for Business using a GPO
Follow the steps below using the GPMC.
Step 1: Create and link the GPO
- Press Win + R, type gpmc.msc, and press Enter to open the GPMC.
- Navigate to the organizational unit (OU) that contains the target computers or users.
- Right-click the OU and select Create a GPO in this domain, and Link it here.
- Enter a descriptive name (for example, Windows Hello for Business Policy) and click OK.
Note: Link the GPO to a computer OU to apply the policy to devices, or link it to a user OU if the policy should follow specific users.
Step 2: Enable Windows Hello for Business
- Right-click the GPO and select Edit.
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Hello for Business.
- Open Use Windows Hello for Business.
- Set the policy to Enabled, then click OK.
This setting enables Windows Hello provisioning on the target devices.
Step 3: Configure the trust model
- Open Use certificate for on-premises authentication.
- Configure the policy based on your trust model:
- For Cloud Kerberos trust, keep Use certificate for on-premises authentication disabled or not configured, then enable Use cloud trust for on-premises authentication.
- For Key trust, keep both Use certificate for on-premises authentication and Use cloud trust for on-premises authentication disabled or not configured.
- For Certificate trust, enable Use certificate for on-premises authentication.
- (Optional) For certificate trust, enable Use a hardware security device to enforce TPM-backed credentials.
Step 4: Configure PIN complexity
PIN policies define the strength and behavior of Windows Hello credentials.
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Hello for Business > PIN Complexity.
- Configure the required settings, such as:
- Minimum PIN length (recommended: six or higher)
- Maximum PIN length
- Require digits, uppercase, or lowercase characters
- PIN expiration and history
Choose values based on your organization's security requirements.
Step 5: Configure biometrics (optional)
If your environment supports biometric authentication:
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Biometrics.
- Enable Allow the use of biometrics.
- Enable Allow domain users to log on using biometrics.
If you want to enforce PIN-only authentication, leave these settings disabled.
Step 6: Apply and verify the policy
- On a target machine, open Command Prompt with administrative privileges and run:
- Restart the device if required.
- After applying the policy, verify that it has been successfully applied using Group Policy results:
- Check Windows Hello provisioning status:
- Verify the following:
Troubleshooting common errors
1. Windows Hello provisioning does not start
If provisioning does not begin, the device may not be properly joined to Microsoft Entra ID.
Run dsregcmd /status and verify the following:
2. PIN setup screen does not appear
If users are not prompted to set up a PIN, the GPO may not be applied or may be overridden by another policy.
Run gpresult /r to verify applied policies and check for conflicting configurations.
3. Provisioning fails
If provisioning fails, check the Event Viewer logs:
Path: Applications and Services Logs > Microsoft > Windows > HelloForBusiness > Operational.
Common event IDs include:
- 300: Provisioning started
- 301: Provisioning successful
- 302: Provisioning failed
- 1098: Device registration failure
4. Inconsistent behavior across devices
This usually indicates:
- Device registration issues
- TPM not available or not initialized
- Policy not applied at logon
Restart the device and verify join status and TPM readiness.
Managing Windows Hello GPOs at scale with ADManager Plus
Managing Windows Hello for Business policies across multiple OUs using the GPMC can become complex as the environment grows.
ADManager Plus provides a centralized web-based interface that simplifies GPO management across your domain. Administrators can manage, link, and update GPOs without needing to access multiple systems individually.
With ADManager Plus, you can:
- Link GPOs to multiple OUs in bulk.
- Force policy updates on demand.
- Delegate GPO management tasks without granting domain admin rights.
- Manage GPO link order and inheritance.
- Generate reports on GPO links and applied policies.
This helps streamline Windows Hello deployments and ensures consistent policy application across large environments.
FAQ
How do I enable Windows Hello for Business using a GPO?
Enable the Use Windows Hello for Business setting under the Windows Hello for Business policy node and link the GPO to the target OU.
Which trust model should I use?
Use cloud Kerberos trust or key trust for hybrid or cloud environments. Use certificate trust only for fully on-premises environments with AD CS configured.
Why is Windows Hello for Business not provisioning?
Common causes include the device not being Microsoft-Entra-ID-joined, conflicting Group Policy settings, or a TPM not being available.
How do I verify Windows Hello provisioning?
Run dsregcmd /status and check that the provisioning status (such as NgcSet) is set correctly.
