Implementing Windows Hello (FaceID & PIN) on Windows 11

Article ID: KB-WIN11-HELLO-001
Version: 1.0
Date: 20 Aug 2025
Author: Ante Crvelin
Audience: IT Infrastructure, Service Desk, Security
Scope: Corporate-managed Windows 11 PCs (Makita AU). Excludes shared kiosk devices and servers.

1. Overview & Objectives

Windows Hello for Business (WHfB) replaces passwords with strong, device-bound credentials.
This article outlines how to enable FaceID and PIN sign-in on Windows 11 PCs using Intune (recommended) or Group Policy (GPO).

Business Outcomes:

Faster, simpler sign-in → efficiency gain at every login.
Stronger authentication (TPM-backed + biometrics).
Reduced Service Desk load (fewer password reset tickets).

Note: Face sign-in requires a Windows Hello–compatible IR camera. PIN is available on all supported devices. Enhanced anti-spoofing can be enforced but may disable unsupported cameras.

2. Prerequisites

Hardware:

TPM 2.0 enabled and ready.
IR camera (Windows Hello compatible).
Latest drivers and firmware installed.

Platform:

Microsoft Entra ID tenant with Intune, or Active Directory with GPO.
Devices joined to Entra ID or Hybrid Azure AD.
Network access to Microsoft endpoints.

Security Decisions:

Trust model: Cloud Kerberos trust (recommended) or certificate trust (requires AD CS).
Define PIN complexity (length, alphanumeric).
Decide on enforcing enhanced anti-spoofing.

3. Architecture Options

Option A – Entra ID Join + Intune (Recommended)

Devices Entra ID joined, managed by Intune.
Configure WHfB via Intune Account Protection profile.

Option B – Hybrid Azure AD Join + Intune/GPO

Domain-joined devices synced to Entra ID.
Configure WHfB via Intune or GPO.
Use Cloud Kerberos trust for simplicity.

Option C – On-prem AD Only (Not recommended)

Requires AD CS and certificate trust.
Consider migration to hybrid/cloud.

4. Implementation via Intune (Recommended)

Tenant-wide policy:
- Intune → Devices → Enrollment → Windows Hello for Business → Configure = Enabled.
- Set TPM = Required, PIN length = 8, history = 5, expiry = 0, allow biometrics, enable anti-spoofing, enable ESS.
Account Protection Profile:
- Intune → Endpoint security → Account protection → Create Policy.
- Configure as above and assign to pilot group.
Optional: Use Settings catalog or Custom OMA-URI for PassportForWork CSP.
Validation:
- User → Settings → Accounts → Sign-in options → Add PIN and Face recognition.
- Confirm both are available.

5. Implementation via Group Policy (GPO)

Path: Computer Config → Administrative Templates → Windows Components → Windows Hello for Business

Enable Windows Hello for Business = Enabled
Cloud trust = Enabled (or Certificate trust if required)

Biometrics:

Allow biometrics = Enabled
Allow users logon with biometrics = Enabled
Enhanced anti-spoofing = Enabled

PIN Complexity:

Minimum length = 8
Require digits = Enabled
Allow/Require uppercase, lowercase, special characters
PIN recovery = Enabled

Update devices with gpupdate /force.

6. End-User Setup

User signs in.
WHfB provisioning prompts to create a PIN.
Settings → Accounts → Sign-in options → Facial recognition (Windows Hello) → Set up.
Scan face. PIN remains available if the camera is unsupported.

7. Pilot, Rollout & Controls

Pilot: 20–50 users across varied device models.
Staged rollout by department/location.
Monitoring: Login duration, adoption, support tickets.
Exclusions: Finance terminals, kiosks, shared devices.
Backout: Disable WHfB policy; revert to passwords.

8. Testing & Validation

TPM: tpm.msc or Get-Tpm (PowerShell).
Join State: dsregcmd /status.
Policy: Intune Device config or gpresult /r.
Logs: Event Viewer → Windows Hello for Business, User Device Registration.
Camera: Device Manager → Cameras.

9. Troubleshooting

“Option unavailable” → Check drivers, policy conflicts, anti-spoofing.
“PIN unavailable” → Reset via Sign-in options → I forgot my PIN.
Poor recognition in low light → Validate camera; adjust comms but do not weaken policy.
Hybrid auth failing → Check AAD Connect health or AD CS configuration.

10. Makita AU Baseline

Trust model: Cloud Kerberos trust (Hybrid) or Entra ID join.
TPM: Required.
PIN: Min 8 chars, digits required, history = 5, expiry = 0.
Biometrics: Allowed, anti-spoofing required.
ESS: Enabled.
Exclusions: Kiosks, service accounts.

Appendices

Appendix A – OMA-URI Examples (PassportForWork CSP)
(See detailed values in the technical guide)

Appendix B – GPO Quick Reference
(Enable WHfB, Biometrics, Anti-spoofing, PIN complexity)

Appendix C – Efficiency Considerations

Average login time reduced vs passwords.
Faster warehouse/tablet access.
Reduced helpdesk load via self-service PIN recovery.

✅ Status: Approved for IT pilot rollout.
🔄 Next Review: 6 months post-deployment.