mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-14 18:03:37 +00:00
5.8 KiB
5.8 KiB
title, description, ms.assetid, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author, ms.author, localizationpriority, ms.date
| title | description | ms.assetid | keywords | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | author | ms.author | localizationpriority | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Windows Hello for Business (Windows 10) | Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. | 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E | identity, PIN, biometric, Hello, passport | w10 | deploy | library | security, mobile | mikestephens-MS | mstephen | high | 05/05/2018 |
Windows Hello for Business
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks.
[!div class="mx-tdBreakAll"]
Overview
Why PIN is better than a password
Manage Windows Hello in your Organization
Prerequisites
Cloud Only Deployment
- Windows 10, version 1511 or later
- Microsoft Azure Account
- Azure Active Directory
- Azure Multi-factor authentication
- Modern Management (Intune or supported third-party MDM), optional
- Azure AD Premium subscription - optional, needed for automatic MDM enrollment when the device joins Azure Active Directory
Hybrid Deployments
The table shows the minimum requirements for each deployment.
| Key trust Group Policy managed |
Certificate trust Mixed managed |
Key trust Modern managed |
Certificate trust Modern managed |
|---|---|---|---|
| Windows 10, version 1511 or later | Hybrid Azure AD Joined: Minimum: Windows 10, version 1703 Best experience: Windows 10, version 1709 or later (supports synchronous certificate enrollment). Azure AD Joined: Windows 10, version 1511 or later |
Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| N/A | Windows Server 2016 AD FS with KB4088889 update (hybrid Azure AD joined clients), and Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) |
N/A | Windows Server 2012 or later Network Device Enrollment Service |
| Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
| Azure Account | Azure Account | Azure Account | Azure Account |
| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect |
| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
On-premises Deployments
The table shows the minimum requirements for each deployment.
| Key trust Group Policy managed |
Certificate trust Group Policy managed |
|---|---|
| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| Windows Server 2016 AD FS with KB4088889 update | Windows Server 2016 AD FS with KB4088889 update |
| AD FS with Azure MFA Server, or AD FS with 3rd Party MFA Adapter |
AD FS with Azure MFA Server, or AD FS with 3rd Party MFA Adapter |
| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |