Skip to Content

Manually Enable Windows Hello for Business

For SMU Hybrid-Joined or Entra-Joined Windows 11 Devices

Windows Hello for Business (WHfB) lets users sign in securely using a PIN or biometrics, and provides seamless single sign-on (SSO) for SMU resources.

Before You Begin:

  • You must already be enrolled in Microsoft Authenticator.
  • A Trusted Platform Module (TPM) is required for Windows Hello for Business
  • You’ll need to temporarily elevate your account to local administrator using the Make Me Admin tool.
  • In order to use biometric authentication as an alternative to a PIN, you must have the correct hardware to support it.
    • IR camera and/or fingerprint reader

Step 1: Open Local Group Policy Editor

  1. Click the Start menu.
  2. Type gpedit.msc in the search bar.
  3. Right-click gpedit.msc and choose Run as administrator.
    1.png

Step 2: Navigate to Windows Hello for Business Policies

In the Group Policy Editor, go to:
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business
 

Step 3: Enable Required Policies

Enable the following policies one by one:

Policy NamePurpose / Action
Use PIN RecoveryAllows users to self-recover their PIN using strong authentication (like MFA).
Use a Hardware DeviceEnsures credentials are stored on TPM hardware, not software.
Leave the checkbox in the policy unchecked.
Use Biometrics (If supported)Allows users to sign in with biometrics (like facial recognition or fingerprint).
Use Windows Hello for BusinessProvisions WHfB keys for all device users (requires PIN setup).
Use Cloud Trust for On-Premises AuthenticationEnables cloud Kerberos for authentication to file shares and other on-prem resources.

Step 4: Restart the Device

  • Log out and back in, or restart the computer to apply changes.

Step 5: Complete Windows Hello Setup

When you sign back in:

  1. A Windows Hello for Business setup wizard will launch.
  2. You’ll be asked to complete strong authentication (MFA or passwordless sign-in).
  3. Follow the prompts to set up a PIN (6 digits required or choose "letters and numbers" if available) and, if supported, biometric sign-in.

If the user has already set up Windows Hello, the existing keys will be used. The user can continue signing in with their current PIN.

How It Works After Setup

  • Once a PIN or biometric sign-in is completed, a Primary Refresh Token (PRT) with an MFA claim is created on the device.

  • This token allows seamless SSO (single sign-on) for apps and browsers that use it:

    • Microsoft Edge uses the PRT automatically.
    • Firefox and Chrome can be configured to use the PRT for seamless SSO.

Note for BYOD Users

  • BYOD (Bring Your Own Device) users who add a school or work account in Windows 11 can still provision Windows Hello keys to the SMU tenant for SSO.
  • However, because these devices are not hybrid-joined or fully Entra-joined, they cannot use cloud Kerberos for on-prem authentication.