6.8 KiB
title, description, ms.date, ms.topic
| title | description | ms.date | ms.topic |
|---|---|---|---|
| Windows Hello for Business cloud-only deployment guide | Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario. | 11/22/2024 | tutorial |
Cloud-only deployment guide
[!INCLUDE apply-to-cloud]
[!INCLUDE requirements]
[!div class="checklist"]
Deployment steps
[!div class="checklist"] Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
Configure Windows Hello for Business policy settings
When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business. If you want to use Windows Hello for Business in a cloud-only environment with its default settings, there's no extra configuration needed.
Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no other MFA configuration needed. If you aren't already registered in MFA, you're guided through the MFA registration as part of the Windows Hello for Business enrollment process.
Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are typically configured via an MDM solution like Microsoft Intune, using the PassportForWork CSP.
Note
Review the article Configure Windows Hello for Business using Microsoft Intune to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
If the Intune tenant-wide policy is configured to disable Windows Hello for Business, or if devices are deployed with Windows Hello disabled, you must configure one policy setting to enable Windows Hello for Business:
Another optional, but recommended, policy setting is:
Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
:::image type="icon" source="images/intune.svg"::: Intune/CSP
[!INCLUDE intune-settings-catalog-1]
| Category | Setting name | Value |
|---|---|---|
| Windows Hello for Business | Use Windows Hello For Business | true |
| Windows Hello for Business | Require Security Device | true |
[!INCLUDE intune-settings-catalog-2]
Alternatively, you can configure devices using a custom policy with the PassportForWork CSP.
| Setting |
|---|
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork- Data type: bool- Value: True |
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice- Data type: bool- Value: True |
:::image type="icon" source="images/group-policy.svg"::: GPO
To configure a device with group policy, use the Local Group Policy Editor.
| Group policy path | Group policy setting | Value |
|---|---|---|
| Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business or User Configuration\Administrative Templates\Windows Components\Windows Hello for Business |
Use Windows Hello for Business | Enabled |
| Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business | Use a hardware security device | Enabled |
Tip
If you're using Microsoft Intune, and you're not using the tenant-wide policy, enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see Set up the Enrollment Status Page.
More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see Windows Hello for Business policy settings.
Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after a user signs in, if certain prerequisite checks are passed.
User experience
[!INCLUDE user-experience]
[!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
Sequence diagrams
To better understand the provisioning flows, review the following sequence diagrams based on the authentication type:
- Provisioning for Microsoft Entra joined devices with managed authentication
- Provisioning for Microsoft Entra joined devices with federated authentication
To better understand the authentication flows, review the following sequence diagram:
Disable automatic enrollment
If you want to disable the automatic Windows Hello for Business enrollment, you can configure your devices with a policy setting or registry key. For more information, see Disable Windows Hello for Business enrollment.
Note
During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and access the desktop without enrolling in Windows Hello for Business.