Hello for Business on new devices

Stefan W 1 Reputation point

we are testing hello for business in a hybrid setup. If the user enrolls on his new device with his password for the first time it’s working fine.
But we want to eliminate the users password completely.
If the user don’t know his password, because he uses every day his face or pin for logon, what is the option to logon to a new device, if his old pc is damaged? Is there an option to Provision hello for business without first password login?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,811 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,081 Reputation points


    Yes, this is possible. Microsoft has an extensive document for planning and deploying Password-less strategy that can accompany you along the way for implementing:

    Password-less strategy


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Wesley Li-MSFT 4,391 Reputation points Microsoft Vendor


    The PIN is not stored on the device, it is entropy provided by the user when operating with the private part of the credentials, the PIN is available on all computers unless restricted by a policy that requires a TPM.
    Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential.So the old computer is broken, the new device can also log in with PIN.

    For the passwordless policy, you can refer to related documents:

    Best Regards,
    Wesley Li

    0 comments No comments

  3. Stefan W 1 Reputation point

    Hi weili-MSFT,

    i understand It is true that authentication takes place with the private key. But the private key is stored locally on the first device. If the device is now defective, how does the private key get onto the new device?
    For my understanding, the only option is to log in to the new device with a password and create a new private key, which can then be used to log in again.
    Or am I missing something in the linked documents?