Windows Hello for Business (WHfB) replaces passwords with PIN or biometric authentication backed by TPM cryptography. It is a key part of a passwordless strategy for Microsoft 365 environments. This guide covers setting it up via Intune, the difference between cloud and hybrid deployments, and how to enforce it for all users.
How Windows Hello for Business works
When a user sets up WHfB, Windows generates a key pair protected by the device TPM. The private key never leaves the device. Authentication works by:
- User provides PIN or biometric gesture to the device
- Device uses the TPM-protected private key to sign a challenge from Entra ID
- Entra ID verifies the signature with the stored public key
- Token issued - no password transmitted at any point
Prerequisites
- Windows 10 version 1703 or later (Windows 11 recommended)
- TPM 2.0 (strongly recommended - TPM 1.2 supported but limited)
- Devices must be Entra ID joined or hybrid Entra ID joined
- Microsoft Entra ID P1 licence (included in Microsoft 365 Business Premium and above)
- Users must be licensed for Entra ID P1
Configure via Intune
- Name the profile (e.g. WHfB - All Devices)
- Configure Windows Hello for Business settings
- Assign to All Devices or a specific device group
Key settings explained
Enforce setup at enrolment
To ensure users set up WHfB before reaching the desktop on first login, configure the Enrollment Status Page in Autopilot:
Set Block device use until required apps are installed and include the WHfB configuration profile as a required app. Users cannot proceed past the OOBE until WHfB is configured.
Troubleshooting
WHfB not prompting users to set up
Check that the Identity Protection profile is assigned to the device group and the device has checked in. Review the Intune profile assignment status. Also confirm the device has TPM 2.0 enabled in the BIOS - WHfB silently fails on devices with TPM disabled.
Users see "Your organisation removed Windows Hello for Business"
This usually means a conflicting policy is disabling WHfB. Check for a conflicting Accounts policy or a Device Restrictions profile that has WHfB set to Disable. One profile enables it, another disables it, and the disable wins.
Frequently Asked Questions
Windows Hello for Business replaces passwords with strong two-factor authentication using a PIN, fingerprint, or facial recognition. The PIN is device-specific and backed by a cryptographic key in the device TPM. It is more secure than a password because the credential never leaves the device and cannot be phished or sprayed.
Windows Hello is the consumer version - a convenient PIN or biometric to log in to a Microsoft personal account. Windows Hello for Business is the enterprise version - it uses certificate or key-based authentication against Entra ID or Active Directory, backed by TPM, and managed via Intune or Group Policy.
Yes for cloud deployments. TPM 1.2 is the minimum but TPM 2.0 is recommended and required for some features. Devices without a TPM can use a software-based key but this is less secure and Microsoft does not recommend it for production deployments.
Configure an Enrollment Status Page (ESP) in Autopilot or use an Intune Identity Protection profile to require WHfB setup during device enrolment. Users will be prompted to set up a PIN before reaching the desktop on first login.