This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi all,
I appreciate some clarification here. Previously, in my learning for SC-900, I understand that Windows Hello works with TPM to ensure that even if the threat actor knows the PIN, unless it has the hardware, he/she will not be able to access the account. So I believed that the TPM is required, because that's the "what you have", and fulfills the MFA definition.
Today I came across a documentation (https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations), that TPM is not required for Windows Hello/Windows Hello for Business.
If Windows Hello/Windows Hello for Business does not require TPM to work, where does the unique ID or key stored in the hardware?
I am probably missing something here. If anyone has an answer on hand, pls let me know.
Much appreciated. Thank you.
best regards,
Herman
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 75%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Why not allow the use of an external authenticator such as a Yubikey that supports FIDO2. It is a much less expensive option than buying a new PC and satisfies the "something you have" requirement for verifying your pin.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
You may setup the Windows Hello/Windows Hello for Business without TPM and in this case, it will use the software based for authentication. This is not a recommended method , however in case someone want to use this feature without TPM, it is still possible. Have a look at:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings
Using software-based it is less secure than using the TPM.
Thank you Reza for your answer. This explains a lot.
I always thought that Microsoft should force Windows Hello to use TPM instead, since most modern phones and PCs already have TPM installed. Curious why they do not implement it. Strange.
Thanks again for the help.
Herman
Welcome, glad it was helpful