Windows Hello for Business

Language:
EN

Short link for this page: utwente.nl/windowshello

UT USES WINDOWS HELLO FOR BUSINESS ON WINDOWS 11 Compatiple DEVICES TO SECURELY LOG IN.

Windows Hello for Business applies advanced biometric technologies, such as facial recognition and fingerprint scanners, to verify your identity without requiring a password. This offers several benefits:

  1. Enhanced Security: Windows Hello provides a more secure login method than traditional passwords. Instead of a password, which can be vulnerable to phishing, Windows Hello for Business uses biometric data and Microsoft Cloud Trust to verify your identity. This means your biometric data is stored locally on your device and is never shared or transmitted.
  2. Easy Access: With Windows Hello, you no longer need to enter passwords to sign in to Windows. You can log in quickly and easily with a PIN, a smile, or a fingerprint. Of course, it also remains possible to log in with your username and password.
  3. Time-Saving: Windows Hello's fast and seamless authentication allows you to log in to your device more quickly.
Windows Hello for Business: available starting 19 June 2024

The wizard to set up Windows Hello for Business will be activated automatically on all LISA managed Windows 11 compatible devices. The next time you restart your device, the wizard will ask you to activate Windows Hello for Business.

Video: setting up Windows Hello for Business

This reference video guide gives a short summary on how to activate Windows Hello for Business: with face recognition, fingerprint or pin code.

FAQ

  • Why don't I see the Windows Hello wizard?

    The wizard will only appear once the policy has been activated on your device. it might take some time (up to 8 hours). If you have been using your device for a few days after June 19 and still do not see the wizard after restarting: it could mean that the computer is not compatible, not LISA managed, a special device or Windows may not be compatible yet. Please contact the service desk to verify this.

  • How is it possible that a 6-digit pin code is more secure than a 14-character password?

    Your PIN, smile, or fingerprint only opens the secure vault on your computer where half of the key is stored, which never leaves the device. The other half of the key is securely stored online by Microsoft in your account. Together, these two keys provide access to your device, websites, and files. Even if someone manages to obtain your PIN through phishing, it can only be used on your device and not, unlike a regular password, from another location. Additionally, if you use your face or fingerprint, the chance of someone being able to observe your PIN is eliminated.

    More technical explanation 
    Windows Hello for Business provides a significantly more secure method for logging in than traditional passwords, even those with 14 characters. Traditional passwords are vulnerable to cyberattacks, including phishing, brute force attacks, and credential stuffing. In contrast, Windows Hello for Business enhances security by using biometric authentication and Microsoft Cloud Trust to verify a user’s identity. An asymmetrical key pair is created: one key is stored on the device, and the other is held by the identity provider. Access is granted only when these keys are combined. Therefore, these keys are used to access the device, not the PIN itself. A 6-digit PIN can be more secure than a 14-character password because the PIN is tied to the specific device and cannot be used elsewhere. Additionally, the PIN is just one part of a multi-factor authentication process that includes the device and biometrics, significantly reducing the attack surface compared to traditional passwords. The asymmetrical key pair adds another layer of security, ensuring that the PIN alone is insufficient without the corresponding device and biometric verification.

  • I forgot my PIN / How can I reset or change Windows Hello for Business PIN?

    Navigate to Settings > Accounts > Sign-in options > PIN (Windows Hello) > I forgot my PIN, or when you know your PIN but you want to change the PIN, choose Change PIN.

  • Can I still log in with my username and password after Windows Hello activation?

    Yes, in the sign-in screen, you can also choose to sign in with your password in the sign-in options. The video shows the different sign-in options. Click on the key icon if you want to sign in with your password.

  • What if I no longer want Windows Hello for Business?

    Contact our servicedesk. They will ensure that the policy is disabled on the device and that a Windows Hello Removal Tool application becomes available in the Company Portal, which can be used to completely disable Windows Hello on the device.

  • How can I activate Windows Hello special devices or lab PCs?

    Windows Hello for Business will not be activated on specials known to LISA, such as lab PCs, measurement systems and lecture room PCs. If there is a situation where Windows Hello for Business needs to be activated on such a PC, please contact the Service desk for assistance.

  • What if my device doesn't have a compatible webcam for face recognition?

    You can purchase a compatible device from the Self Service Portal or setup a 6-digit pin code. For this, see the products marked with: Windows Hello. Discuss this first with your budget responsible.

  • How do I modify my sign-in options?

    Easily adjust them in Settings > Accounts > Sign-in options.

  • How can I navigate through the wizard?

    See the video in the section above.

  • Is Windows Hello for Business secure?

    Yes, it offers enhanced security with phish-resistant two-factor authentication and built-in brute force protection. Learn more on the Microsoft website.

  • Are my biometric data shared with third parties?

    No, biometric data like fingerprints or facial recognition remains on your device and isn't transmitted or shared with Microsoft or other parties.

  • What if I have a device without a camera or fingerprint scanner?

    You'll go through a wizard to set up a PIN code instead. If you'd like to use biometric login features, you can purchase a supported webcam or fingerprint scanner from the Self Service Portal.

  • Will this work when I'm working at home (remotely)?

    You can complete the wizard at home, but biometric logins might not be possible the first time until you connect to the VPN. (This generally applies only to AD-managed computers.) If you are off-campus after provisioning and receive a message  that login is not possible when attempting to log in for the first time using PIN, FACE, or Fingerprint, resolve this by:

    • Select in logon screen sign-in options;
    • Choose password (Key icon);
    • Logging in with your username and password;
    • Start EduVPN;
    • Lock your computer (Windows key + L);
    • Unlock your computer and choose a preferred sign-in option PIN, FACE, or Fingerprint;
    • Windows Hello for Business is now fully configured.

    This only applies to the first login; subsequent logins with PIN, FACE, or Fingerprint will be possible without a VPN connection, just like with your traditional password.

  • My laptop appears to have a fingerprint scanner, but it's not functional.

    If the wizard doesn't allow you to set up the fingerprint, it's likely that the hardware isn't compatible. Often, what may appear to be a scanner is just a cover or a similar feature without the actual fingerprint scanning capability.

  • How many users can enroll for Windows Hello for Business on a single Windows device?

    The maximum number of supported enrollments on a single device is 10. Which means 10 users may setup face recognition and/or there fingerprint to access the device. For devices with more than 10 users it's recommended the use of FIDO2 security keys.

  • Can I enroll local Windows accounts in Windows Hello for Business?

    Windows Hello for Business is not designed to work with local accounts.

  • Can I use an external camera?

    You can use an external Windows Hello compatible camera if a device has an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication.

More Microsoft FAQ about Windows Hello for Business

Contact

Contact
Service Desk ICT
Service Desk ICT
Citadel building @ O&O square

Visit us: 8.30 - 17.00 on weekdays (location)
Call us: 8.00 - 17.30 on weekdays

To support you on the phone, we may ask you to open Teamviewer. The application has already been installed on UT Windows computers. For other devices, you may need to download Teamviewer.

My favourites

About Favourites
Use the Bookmark this page button on Service Portal pages to add that page to the My Favourites section. To add web applications, use the star icon in the webapplication list. To add pages outside the Service Portal, use the Add custom bookmark button above. Add your favourite apps to your bookmarks by using the favourite button.

The My Organisation section shows mandatory bookmarks for your your main unit.

Please wait a moment...