Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
Windows Hello for Business can be deployed to the cloud (Azure Active Directory), on-premise (Active Directory) and hybrid (both the active directories). On-premise deployment needs Certificate Authority and Active Directory Federation Services. Based on the 80-20 rule (The 80-20 rule maintains that 80% of outcomes (outputs) come from 20% of causes (inputs)), I really recommend doing the Cloud implementation because it is a lot more easier to implement and has more gain in terms of security. When you access resources on-premise you are in well protected corporate network which adds additional layer of security as for the cloud – applications are accessed from anywhere and portable work computers are more accessible to theft and hackers.
What is the difference between Windows Hello for Business and Windows Hello PIN or biometric in Windows 10?
The main difference is that Windows Hello in Windows 10 (also referred as convenience PIN) is a consumer feature that works only within the device and Windows Hello for Business is Cloud service for secure authentication used in corporate environments.
Convenience PIN is just a password stuffer that remembers your password and puts it after PIN or biometric authentication.
Windows Hello for Business has strong user authentication properties that are frequently and mistakenly assumed to be functioning when the Windows Hello for Business infrastructure is not in place and when a user is using a convenience PIN. Bare in mind that both cannot work together. By default convenience PIN is disabled when you enable Windows Hello for Business or join a pc to the domain.
Prerequisites for Cloud only deployment
Here are the prerequisites for a Cloud only deployment:
- Windows 10, version 1511 or later
- Azure Active Directory
- Azure Multi-factor authentication
- Modern Management (Intune or supported third-party MDM), optional
- Azure AD Premium subscription – optional, needed for automatic MDM enrollment when the device joins Azure Active Directory