This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 43%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Hello,
we are testing hello for business in a hybrid setup. If the user enrolls on his new device with his password for the first time it’s working fine.
But we want to eliminate the users password completely.
If the user don’t know his password, because he uses every day his face or pin for logon, what is the option to logon to a new device, if his old pc is damaged? Is there an option to Provision hello for business without first password login?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello,
Yes, this is possible. Microsoft has an extensive document for planning and deploying Password-less strategy that can accompany you along the way for implementing:
Password-less strategy
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy
------------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
Hi
The PIN is not stored on the device, it is entropy provided by the user when operating with the private part of the credentials, the PIN is available on all computers unless restricted by a policy that requires a TPM.
Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential.So the old computer is broken, the new device can also log in with PIN.
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works
For the passwordless policy, you can refer to related documents:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy
Best Regards,
Wesley Li
Hi weili-MSFT,
i understand It is true that authentication takes place with the private key. But the private key is stored locally on the first device. If the device is now defective, how does the private key get onto the new device?
For my understanding, the only option is to log in to the new device with a password and create a new private key, which can then be used to log in again.
Or am I missing something in the linked documents?
Hi
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers.
In addition to that, Windows Hello for Business requires users to log in to Windows with a username and password, and a second authentication factor must be created before two-factor Windows Hello for Business credentials can be created.
This means that Windows Hello for Business credentials are created so that the pin code can be used across devices, but if the device is defective, causing problems with Windows Hello for Business credentials, the credentials must be recreated on the new device with a username and password.