How to enable and use Windows Hello

Overview


What is Windows Hello?

Windows Hello is a biometric authentication feature available in Windows 10 and 11 that enables users to sign in to their device using a fingerprint, facial recognition, iris scan, or a PIN. Windows Hello configurations are specific to the device, meaning biometric or PIN credentials don’t transfer to other devices. Local or Active Directory (AD) users can still use a username and password if preferred.

For AD users, credentials are encrypted and cached locally. When the device is unlocked with biometrics, these AD credentials are automatically used for domain resources, such as network drives.


What is Windows Hello for Business?

Windows Hello for Business is Microsoft’s enterprise solution for password-less authentication. When a user authenticates via biometrics, a certificate is sent to backend servers for authentication instead of using traditional passwords. Currently, Windows Hello for Business is not enabled for use by the University of Idaho.

Note: Hello for Business requires specific infrastructure and AD configurations, which are not supported by OIT at this time. If enabled in the future, Hello for Business could replace traditional Windows Hello.

For more details, visit Windows Hello for Business Overview.

 


Is Hello or Hello for Business allowed?

Windows Hello is allowed by OIT on capable Windows devices. If Windows Hello for Business is enabled for UI at a later date, simple Windows Hello may be disallowed with little notice.

Current OIT Standards for Passwords support use of Windows Hello

 

How to enable Hello for users?

From the Windows 11 device on which you wish to use Windows Hello:

  • From the start menu, locate "Sign-in Options" and click on it
    • Uploaded Image (Thumbnail)
  • Select the sign in option you wish to configure
    • This guide will be for setting a fingerprint and PIN, but if your device is capable, you can also use facial recognition
    • Uploaded Image (Thumbnail)
    • Click on the "Get started button in the Windows Hello setup window
      • Uploaded Image (Thumbnail)
    • Follow the guide in the Windows Hello setup window to add fingerprints
      • Uploaded Image (Thumbnail)
      • Uploaded Image (Thumbnail)
      • You may add additional fingerprints
    • You will be required to create a PIN, click on the Set up a PIN" button
      • Uploaded Image (Thumbnail)
      • Click on the "OK" button
      • Uploaded Image (Thumbnail)
      • Use your University of Idaho account to sign in
      • Uploaded Image (Thumbnail)
      • Enter and confirm your new PIN - this PIN is unique for this device
      • Uploaded Image (Thumbnail)
      • Windows will require a PIN that confirms to the requirements below
      • Uploaded Image (Thumbnail)
      • Uploaded Image (Thumbnail)Uploaded Image (Thumbnail)
         
  • Sign out of your device, and test signing in with your biometrics (fingerprint or face) or PIN

How to use Windows Hello with Duo?

 

Open a private browser and navigate to https://vandals.uidaho.edu

  • Enter your user name and password
  • When prompted for Duo, select Other options. This may require canceling the application prompt.
  • Select Manage devices. You will need to authenticate with a current method.
  • In the device management portal select Add a device
  • Select Windows Hello in the pop-up window.
  • Select Continue to set up Windows Hello
  • You will then be prompted to authenticate with the Windows Hello method you set up on your device. i.e. Fingerprint, Face or PIN.
  • Once the passkey is saved you can select OK.
  • You can now use Windows Hello with Duo



  • See: Windows Hello enrollment in Duo for additional information.


Is a Hello PIN secure?

A Hello PIN is created alongside biometrics and acts as a fallback option if biometric hardware fails or if circumstances prevent biometric authentication.

Key security features of a Windows Hello PIN:

  • Must be at least 6 digits long.
  • It’s device-specific, meaning it only grants access to the device it was set up on.
  • Does not grant access to online accounts like MyUI or Office 365.
  • Protects against brute force attacks by implementing lockout delays after failed attempts.

For more details on PIN security, refer to Why a PIN is Better Than a Password.

Using biometrics is preferred, with the PIN as a backup option.

 

Known Issues and Considerations

Windows 11 is the recommended platform for using Windows Hello and will provide the best experience.