Cloud-only deployment guide

This article describes Windows Hello for Business functionalities or scenarios that apply to:


Requirements

Before starting the deployment, review the requirements described in the Plan a Windows Hello for Business Deployment article.

Ensure that the following requirements are met before you begin:

Deployment steps

Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:

Configure Windows Hello for Business policy settings

When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business. If you want to use Windows Hello for Business in a cloud-only environment with its default settings, there's no extra configuration needed.

Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no other MFA configuration needed. If you aren't already registered in MFA, you're guided through the MFA registration as part of the Windows Hello for Business enrollment process.

Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are typically configured via an MDM solution like Microsoft Intune, using the PassportForWork CSP.

Note

Review the article Configure Windows Hello for Business using Microsoft Intune to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.

If the Intune tenant-wide policy is configured to disable Windows Hello for Business, or if devices are deployed with Windows Hello disabled, you must configure one policy setting to enable Windows Hello for Business:

Another optional, but recommended, policy setting is:

Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).

To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:

Category Setting name Value
Windows Hello for Business Use Windows Hello For Business true
Windows Hello for Business Require Security Device true

Assign the policy to a group that contains as members the devices or users that you want to configure.

Alternatively, you can configure devices using a custom policy with the PassportForWork CSP.

Setting
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork
- Data type: bool
- Value: True
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice
- Data type: bool
- Value: True

Tip

If you're using Microsoft Intune, and you're not using the tenant-wide policy, enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see Set up the Enrollment Status Page.

More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see Windows Hello for Business policy settings.

Enroll in Windows Hello for Business

The Windows Hello for Business provisioning process begins immediately after a user signs in, if certain prerequisite checks are passed.

User experience

After a user signs in, the Windows Hello for Business enrollment process begins:

  1. If the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
  2. The user is prompted to use Windows Hello with the organization account. The user selects OK
  3. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
  4. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
  5. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with the IdP to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop

Sequence diagrams

To better understand the provisioning flows, review the following sequence diagrams based on the authentication type:

To better understand the authentication flows, review the following sequence diagram:

Disable automatic enrollment

If you want to disable the automatic Windows Hello for Business enrollment, you can configure your devices with a policy setting or registry key. For more information, see Disable Windows Hello for Business enrollment.

Note

During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and access the desktop without enrolling in Windows Hello for Business.