Windows Hello for Business - Privacy GDPR Considerations

melbar4 1 Reputation point

Hi, my organisation are looking into deploying Windows Hello for Business, which uses biometrics for user authentication. Given this requires a legal basis under Article 9 of GDPR, can anyone point me in the direction of any Microsoft documentation in this regard? I was looking specifically for some mechanism to collect users' explicit consent but it does not seem to be an option in the default enrollment journey.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,491 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Teemo Tang 11,201 Reputation points

    Windows Hello and privacy

    What data is collected, and why
    When you set up Windows Hello, it takes the data from the face or iris sensor or fingerprint reader and creates a data representation—not an image; it’s more like a graph—that is then encrypted before it’s stored on your device.

    To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, Microsoft collect info about how people use Windows Hello. For example, info about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. This data is stripped of any information that could be used to specifically identify you, and it's encrypted before it's transmitted to Microsoft.

    The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.

    Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
    Windows Hello biometrics in the enterprise (Windows 10) - Microsoft 365 Security | Microsoft Learn

    More information here:
    GDPR FAQs, Microsoft Trust Center


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Reza-Ameri 16,141 Reputation points

    I should add the Biometric authentication in Windows Hello is being stored locally in the system and it won't store like in the server or Azure AD. Because it is localize in the system, it is compliance with the GDPR, because data is being stored inside the user's PC and the network administrator won't have any access to those data. Take a look at:

    0 comments No comments

  3. Stanley, Peter 1 Reputation point

    Thanks, that helps!

    0 comments No comments