You may setup the Windows Hello/Windows Hello for Business without TPM and in this case, it will use the software based for authentication. This is not a recommended method , however in case someone want to use this feature without TPM, it is still possible. Have a look at:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings
Using software-based it is less secure than using the TPM.
TPM needed for Windows Hello/Windows Hello for Business, or not.
Hi all,
I appreciate some clarification here. Previously, in my learning for SC-900, I understand that Windows Hello works with TPM to ensure that even if the threat actor knows the PIN, unless it has the hardware, he/she will not be able to access the account. So I believed that the TPM is required, because that's the "what you have", and fulfills the MFA definition.
Today I came across a documentation (https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations), that TPM is not required for Windows Hello/Windows Hello for Business.
If Windows Hello/Windows Hello for Business does not require TPM to work, where does the unique ID or key stored in the hardware?
I am probably missing something here. If anyone has an answer on hand, pls let me know.
Much appreciated. Thank you.
best regards,
Herman
-
Reza-Ameri 17,011 Reputation points
2021-06-26T15:30:33.2+00:00