Hello for Business on new devices

Stefan W 1 Reputation point
2022-10-29T07:04:26.76+00:00

Hello,
we are testing hello for business in a hybrid setup. If the user enrolls on his new device with his password for the first time it’s working fine.
But we want to eliminate the users password completely.
If the user don’t know his password, because he uses every day his face or pin for logon, what is the option to logon to a new device, if his old pc is damaged? Is there an option to Provision hello for business without first password login?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,811 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,081 Reputation points
    2022-11-03T09:20:12.147+00:00

    Hello,

    Yes, this is possible. Microsoft has an extensive document for planning and deploying Password-less strategy that can accompany you along the way for implementing:

    Password-less strategy
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Wesley Li-MSFT 4,391 Reputation points Microsoft Vendor
    2022-11-03T10:54:25.103+00:00

    Hi

    The PIN is not stored on the device, it is entropy provided by the user when operating with the private part of the credentials, the PIN is available on all computers unless restricted by a policy that requires a TPM.
    Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential.So the old computer is broken, the new device can also log in with PIN.
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works

    For the passwordless policy, you can refer to related documents:
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy

    Best Regards,
    Wesley Li

    0 comments No comments

  3. Stefan W 1 Reputation point
    2022-11-03T11:35:25.933+00:00

    Hi weili-MSFT,

    i understand It is true that authentication takes place with the private key. But the private key is stored locally on the first device. If the device is now defective, how does the private key get onto the new device?
    For my understanding, the only option is to log in to the new device with a password and create a new private key, which can then be used to log in again.
    Or am I missing something in the linked documents?