Windows Hello for Business

Summary

This article describes signing into your computer through "Windows Hello for Business" authentication

Body

This article explains the prerequisites and the enrollment process for Windows Hello for Business.

Windows Hello for Business is a new authentication solution for faculty and staff using Microsoft Windows 10 and Microsoft Windows 11 that enables strong two-step authentication with the convenience of a PIN or biometric for sign-in. Using Hello for Business you sign in to your computer just like you sign into your smartphone. After you login,  you can immediately start using apps such as webmail and OneDrive. Lastly, when using Microsoft Edge browser, you can use Hello for Business to enable strong authentication to 3rd party websites. When visiting these websites, such as Carolina Key, you authenticate with your biometric instead of using a password that can be guessed, breached, or phished. Over time, we expect the number of web applications that support Hello for Business to grow. For more information about the technology and a demo website, see the links at the bottom of this article.

Information

Prerequisites:

  • A computer using Microsoft Windows 10 or Windows 11.
  • A computer that is a member of AD.UNC.EDU (Onyen sign-on).
  • TPM hardware found in recent computers.
  • A device that can use a Biometric (e.g. fingerprint reader or camera).
  • 6-digit or longer numeric PIN.
  • A way to receive an SMS text or have the Microsoft Authenticator App.

Before you begin:

  • Contact your local IT department staff to ask how to set up your computer with Microsoft Windows Hello for Business. Once it's enabled for your computer, you will be able to follow the instructions below. 
  • You will need to connect to the VPN or be connected from Campus before using Windows Hello for Business. This connection is only needed during the first logon. 

Enrollment steps:

After a reboot you will be prompted to set up Microsoft Windows Hello for Business or you may navigate to the settings. Setting up Microsoft Windows Hello for Business includes setting up a PIN and/or fingerprint, and/or facial recognition.

At the Microsoft Windows search bar, search for 'sign-in options'.
Sign-In Options

The next step is to set up your PIN. 
PIN Set-Up

A notice will appear asking you to link your work or school account. 
Work or School Account

The next step is to accept the prompt from your Microsoft Authenticator app on a smartphone.
Microsoft Authenticator

Lastly, set your new PIN as shown below.
Set PIN

 

Known Issues:

  • Remote Desktop to other computers defaults to biometric, but does not work unless the target computer uses Remote Credential Guard.
  • Many computers do not have the infrared cameras required for facial recognition.
  • Some devices have issues with the fingerprint readers and enrollment/re-enrollment.
  • Biometrics do not expire like a password, i.e. resetting a user’s password will not prevent them from logging in locally or to o365.
  • You may have to use device manager to remove or change camera drivers and/or obtain drivers from Windows update.
  • You may have to use MMC snap-in to set local group policy manually or contact local IT support if your sign-in options are greyed out.
  • After setting up, you may have to reboot and login with a PIN the first time.
  • If you are an admin and log into a machine already configured with Hello for Business, if you do not enroll your biometric, this may cause Windows or Hello to crash. Enrolling your biometric may allow for the login to work as expected though using an alternative technology for access is recommended.
  • We recommend enrolling when the device is connected via campus ethernet to reduce enrollment problems.

FAQs:

  • Do I have to enroll a biometric? No.  Also keep in mind that Windows Hello is completely optional and up to you to decide if you value the convenience and sign-in security offered.
  • Can I enroll more than one fingerprint? Yes.
  • Is my biometric data stored on UNC or Microsoft servers? No, please see the document Windows Hello Biometrics in Enterprise
  • Can multiple users on a single device use Windows Hello? Yes, but they need to enroll.
  • If I don’t have a fingerprint reader or a camera can I use Windows Hello? Yes. Consider purchasing a compatible keyboard, USB biometric device, or a compatible camera.
  • Do all CCI computers support biometrics for Windows Hello? No, only computers that have the IR camera option or a fingerprint reader support biometrics. But a PIN can be used if biometrics are unavailable.
  • How long does it take to login? Fingerprint readers are the fastest, usually taking less than 3 seconds. Cameras may take between 3 and 15 seconds.
  • Can I use Windows Hello to sign-in to SSO or other UNC websites? Yes, but this is by invite only at this time.
  • If I cut my finger, can I still login? Yes, you can still login with your PIN, your Onyen passphrase, or another enrolled finger.
  • What if I forget my PIN? You can still sign in with your biometric or Onyen passphrase.
  • Can it be configured to require a PIN and a biometric for very sensitive environments? Yes, please contact your local IT support if this level of security is needed.
  • I get a KDC certificate error, what is wrong? This has been seen only a few times. A computer using wireless with v1803 encountered this, but this is not consistently reproducible. It may help to remove the computer from Azure AD, update the computer to latest Windows 10 version, and to use a wired Ethernet connection/adapter and be connected to the VPN or at the University.

References:

Microsoft Windows Hello


Details

Details

Article ID: 210
Created
Thu 6/20/24 1:01 PM
Modified
Tue 10/29/24 2:36 PM