TPM needed for Windows Hello/Windows Hello for Business, or not.

Jun Kai Herman Teo 76 Reputation points
2021-06-26T04:14:39.397+00:00

Hi all,

I appreciate some clarification here. Previously, in my learning for SC-900, I understand that Windows Hello works with TPM to ensure that even if the threat actor knows the PIN, unless it has the hardware, he/she will not be able to access the account. So I believed that the TPM is required, because that's the "what you have", and fulfills the MFA definition.

Today I came across a documentation (https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations), that TPM is not required for Windows Hello/Windows Hello for Business.

If Windows Hello/Windows Hello for Business does not require TPM to work, where does the unique ID or key stored in the hardware?

I am probably missing something here. If anyone has an answer on hand, pls let me know.

Much appreciated. Thank you.

best regards,
Herman

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,744 questions
{count} votes

Accepted answer
  1. Reza-Ameri 16,826 Reputation points
    2021-06-26T15:30:33.2+00:00

    You may setup the Windows Hello/Windows Hello for Business without TPM and in this case, it will use the software based for authentication. This is not a recommended method , however in case someone want to use this feature without TPM, it is still possible. Have a look at:
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings
    Using software-based it is less secure than using the TPM.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful