Configure and enroll in Windows Hello for Business in an on-premises certificate trust model

This article describes Windows Hello for Business functionalities or scenarios that apply to:


Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:

Configure Windows Hello for Business policy settings

There are 2 policy setting required to enable Windows Hello for Business in a certificate trust model:

Another optional, but recommended, policy setting is:

Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).

You can configure the Use Windows Hello for Business policy setting in the computer or user node of a GPO:

  • Deploying the computer node policy setting, results in all users that sign-in to the targeted devices to attempt a Windows Hello for Business enrollment
  • Deploying the user node policy setting, results in only the targeted users to attempt a Windows Hello for Business enrollment

If both user and computer policy settings are deployed, the user policy setting has precedence.

Tip

Use the same Windows Hello for Business Users security group to assign Certificate template permissions to ensure the same members can enroll in the Windows Hello for Business authentication certificate.

Enable automatic enrollment of certificates group policy setting

Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template.

The process requires no user interaction, provided the user signs in using Windows Hello for Business. The certificate is renewed in the background before it expires.

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:

Group policy path Group policy setting Value
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
or
User Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use Windows Hello for Business Enabled
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
or
User Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use certificate for on-premises authentication Enabled
Computer Configuration\Windows Settings\Security Settings\Public Key Policies
or
User Configuration\Windows Settings\Security Settings\Public Key Policies
Certificate Services Client - Auto-Enrollment - Select Enabled from the Configuration Model
- Select the Renew expired certificates, update pending certificates, and remove revoked certificates
- Select Update certificates that use certificate templates
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business Use a hardware security device Enabled

Note

The enablement of the Use a hardware security device policy setting is optional, but recommended.

Group policies can be linked to domains or organizational units, filtered using security groups, or filtered using WMI filters.

Tip

The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.

Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see Windows Hello for Business policy settings.

Enroll in Windows Hello for Business

The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.

You can determine the status of the prerequisite checks by viewing the User Device Registration admin log under Applications and Services Logs > Microsoft > Windows.
This information is also available using the dsregcmd.exe /status command from a console. For more information, see dsregcmd.

User experience

After a user signs in, the Windows Hello for Business enrollment process begins:

  1. If the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
  2. The user is prompted to use Windows Hello with the organization account. The user selects OK
  3. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
  4. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
  5. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with the IdP to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop

After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment.

The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.

The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store.

The following video shows the Windows Hello for Business enrollment steps after signing in with a password, using a custom MFA adapter for AD FS.

Sequence diagram

To better understand the provisioning flows, review the following sequence diagram: