How to Configure Windows Server 2016 Windows Hello for Business
Windows Hello for Business (WHfB) is Microsoft’s enterprise-grade implementation of FIDO2-compatible strong authentication, replacing traditional passwords with cryptographic credentials protected by hardware (TPM) and user gestures such as PIN, fingerprint, or facial recognition. Windows Server 2016 provides the infrastructure components necessary to deploy WHfB for domain-joined Windows 10 devices. This guide covers the full on-premises deployment of Windows Hello for Business in a Key Trust configuration, which is the recommended approach when all Domain Controllers run Windows Server 2016.
Windows Hello for Business vs Windows Hello
It is important to distinguish between Windows Hello and Windows Hello for Business. Windows Hello is the consumer feature that allows local device sign-in with biometrics or a PIN, replacing the local account password. It does not involve Active Directory or enterprise identity. Windows Hello for Business is the enterprise version that integrates with Active Directory, uses public key cryptography, and is deployed and managed through Group Policy or MDM. WHfB credentials authenticate to Active Directory (or Azure AD) using Kerberos or certificate-based authentication.
Key Trust vs Certificate Trust
Key Trust is simpler to deploy — it does not require a PKI or certificate issuance. The user’s public key is written directly to their Active Directory user object and the Windows Server 2016 KDC validates it. Certificate Trust requires an enterprise PKI and issues a certificate to the device, which is used for Kerberos authentication. Certificate Trust is necessary in environments with Domain Controllers older than Windows Server 2016. Choose Key Trust for new Windows Server 2016 forests and Certificate Trust for mixed environments.
Infrastructure Requirements for Key Trust
Confirm the following before beginning deployment. All Domain Controllers must run Windows Server 2016. The domain functional level must be Windows Server 2008 R2 or higher. An Enterprise Certificate Authority must be deployed in the forest (required to issue KDC certificates to Domain Controllers). Windows 10 Version 1703 or later on all client devices. Group Policy or Microsoft Intune must be available to push the WHfB configuration policy to devices.
Deploying a KDC Certificate to Domain Controllers
Domain Controllers need a valid KDC certificate for Key Trust to work. The certificate must use the Kerberos Authentication template (or the newer Domain Controller Authentication template). On the Enterprise CA, ensure the Kerberos Authentication certificate template is available for auto-enrollment to Domain Controllers:
certutil -CATemplates | findstr -i "Kerberos"If auto-enrollment is not configured, manually request a certificate on each DC:
certreq -new KerberosAuthenticationTemplate.inf KerberosAuth.req
certreq -submit KerberosAuth.req KerberosAuth.cer
certreq -accept KerberosAuth.cerEnable auto-enrollment via Group Policy to automate this going forward:
Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-EnrollmentConfiguring Group Policy for Windows Hello for Business
Create a dedicated GPO for Windows Hello for Business and link it to the OU containing your Windows 10 computers. Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for BusinessConfigure the following settings:
Use Windows Hello for Business: Enabled
Use certificate for on-premises authentication: Not configured (for Key Trust)
Use a hardware security device: Enabled
Enable automatic enrollment of credentials at first sign-in: EnabledFor the PIN Complexity sub-key:
Minimum PIN length: 8
Require digits: Enabled
Expiration: 365 (days)Enabling Biometrics
Windows Hello for Business supports biometric authentication if the device has compatible hardware. Enable biometrics through Group Policy:
Computer Configuration > Administrative Templates > Windows Components > BiometricsSet Allow use of biometrics to Enabled and Allow users to log on using biometrics to Enabled. Devices without compatible biometric hardware will fall back to PIN-only authentication automatically.
Provisioning Flow
After Group Policy is applied, the provisioning flow occurs automatically after the user’s next sign-in. Windows detects the WHfB policy, prompts the user to set up a PIN (and optionally enroll biometrics), generates a key pair in the TPM, and uploads the public key to Active Directory. The public key is stored in the msDS-KeyCredentialLink attribute of the user object. To verify that a user has enrolled:
Get-ADUser jsmith -Properties msDS-KeyCredentialLink | Select-Object -ExpandProperty msDS-KeyCredentialLinkA non-empty value indicates the user has a registered WHfB key.
Troubleshooting Enrollment Issues
If users are not prompted to set up Windows Hello for Business after Group Policy is applied, check the following. Confirm the GPO is correctly linked and applying using gpresult. Verify the device has a TPM and that it is enabled in the BIOS/UEFI. Check that the DC has a valid KDC certificate. Review the Microsoft-Windows-HelloForBusiness/Operational event log on the client. Common errors include Event 360 (provisioning failed – often due to missing KDC certificate) and Event 362 (user not eligible – check Group Policy application).
Get-WinEvent -LogName "Microsoft-Windows-HelloForBusiness/Operational" | Where-Object {$_.LevelDisplayName -eq "Error"} | Select-Object TimeCreated, Id, MessageMonitoring Adoption
Track how many users have enrolled in WHfB by querying AD for users with a populated msDS-KeyCredentialLink attribute:
$total = (Get-ADUser -Filter *).Count
$enrolled = (Get-ADUser -Filter {msDS-KeyCredentialLink -like "*"} -Properties msDS-KeyCredentialLink).Count
Write-Host "Enrolled: $enrolled / $total"Disabling Windows Hello for Business on Specific Devices
If you need to exclude specific OUs or devices from the WHfB policy, use security filtering on the GPO or create a separate GPO for excluded machines that sets Use Windows Hello for Business to Disabled and link it at a higher precedence level to the affected OU.
Best Practices
Deploy WHfB to IT staff first as a pilot, then roll out to the broader organization. Require TPM 2.0 where possible — software-backed keys are significantly less secure. Set a realistic PIN minimum length (8+ characters recommended). Pair WHfB with a Conditional Access policy that requires compliant devices for access to sensitive resources. Educate users on the purpose of the PIN and that it is device-specific. Develop a break-glass procedure for users who lose or reset their device without first removing their WHfB key.
Windows Hello for Business is one of the most impactful security improvements available in Windows Server 2016. Eliminating password-based network authentication for Windows 10 clients removes entire classes of credential-based attack from your threat model.
