Windows Hello for Business

Dear Mr. Chandrawanshi,

Thank you for reaching out regarding your deployment of Windows Hello for Business (WHfB) using Group Policy. We appreciate your initiative and are happy to provide guidance to support your implementation.

Windows Hello for Business can be deployed in two primary models:

• Key Trust (recommended for most on-premises environments)

Certificate Trust (requires a Public Key Infrastructure)

Since your Group Policy server is running on Windows Server 2022, you’re well-positioned to use the Key Trust model, which simplifies deployment and does not require issuing certificates to users.

To enable WHfB via Group Policy, please follow these steps:

1. Enable Windows Hello for Business Path: Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business Set Use Windows Hello for Business to Enabled
2. Configure PIN Complexity (Optional) Define PIN length, expiration, and history based on your security requirements.
3. Enable Credential Provider Ensure that the Windows Hello for Business credential provider is not disabled.
4. Allow Domain Users to Sign In Using WHfB Confirm that domain users are permitted to enroll and use WHfB.

Certificate Requirements

• Key Trust Model: No user certificates are required. Requires domain controllers running Windows Server 2016 or later with Kerberos support for WHfB.
• Certificate Trust Model: Requires a functioning Enterprise PKI (e.g., AD CS). User certificates must be issued and mapped to AD accounts.

For most organizations using Windows Server 2022, Key Trust is the preferred and simpler approach.

Let me know how it goes, and if this answer helps, feel free to hit “Accept Answer” so others can benefit too 😊

T&B, Domic Vo

Hello @Domic Vo

Thank you for your response to our earlier query.

We have deployed the Group Policy as per your recommendation. On initial verification, the client laptop appears to be receiving the GPO correctly (Windows Hello for Business is applying as expected). However, we are facing a strange issue:

After restarting the laptop, the user's PIN and fingerprint credentials are automatically removed. Post-restart, we are required to reconfigure both PIN and fingerprint for the user. This behavior is unexpected, and we are unsure what steps to take next.

As part of our troubleshooting, we have already cleared the TPM and restarted the system, but the issue persists.

Kindly suggest the next steps or any configuration points we may have missed. Your assistance is greatly appreciated.

Thank you once again for your support.

Thanks

Kanhaiyalal Chandrawanshi

Hello Everyone.

We have deployed the Group Policy as per your recommendation. On initial verification, the client laptop appears to be receiving the GPO correctly (Windows Hello for Business is applying as expected). However, we are facing a strange issue:

After restarting the laptop, the user's PIN and fingerprint credentials are automatically removed. Post-restart, we are required to reconfigure both PIN and fingerprint for the user. This behavior is unexpected, and we are unsure what steps to take next.

As part of our troubleshooting, we have already cleared the TPM and restarted the system, but the issue persists.

Kindly suggest the next steps or any configuration points we may have missed. Your assistance is greatly appreciated.

Thank you once again for your support.

Thanks and regards.

Kanhaiyalal Chandrawanshi.