Share via

multi-factor authentication

Boipelo Lekoba 0 Reputation points
2026-05-08T08:07:27.1033333+00:00

Steps on how to set up windows hello to work together with ad for multi-factor authentication in the sense that the users with be prompted to enter passwords and windows hello(biometrics) in the same login session.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 19,085 Reputation points Independent Advisor
    2026-05-08T09:02:21.7766667+00:00

    Hello Boipelo Lekoba,

    Windows Hello for Business does not natively support enforcing a combined password plus biometric prompt in a single logon sequence. By design, Hello replaces the password with a strong key‑based credential bound to the device and protected by biometrics or PIN. If you want to enforce both factors at the same time, the supported approach is to configure Windows Hello for Business in Key Trust or Certificate Trust mode and then require password entry as part of the authentication policy through Active Directory or Azure AD conditional access. In AD DS environments, you can enforce password plus Hello by enabling “Use Windows Hello for Business” via Group Policy (Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business) and then setting interactive logon policies to require smart card or password in addition to Hello. In hybrid or Azure AD joined scenarios, Conditional Access can enforce MFA at sign‑in, but this is separate from the Hello credential itself.

    In a nutshell, Windows does not provide a built‑in toggle to force “password + biometric” at the same login screen. The closest supported configuration is to deploy Hello for Business with AD integration and enforce password entry through logon policies or Conditional Access, effectively requiring both factors. If your requirement is strict dual entry at every session, this is not achievable with current Windows Hello design, and you would need to wait for Microsoft to introduce such functionality or consider third‑party credential providers that extend logon behavior.

    If the above response helps answer your question, please hit "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Harry.

    Was this answer helpful?

    0 comments
  2. Boipelo Lekoba 0 Reputation points
    2026-05-08T08:24:07.92+00:00

    i want to enforce mandatory multi-factor authentication on users laptops so that they do not opt to either use both password and biometric at single log in every time or not so what are the steps i can deploy this change not using the multi-factor that is already enforced by windows

    Was this answer helpful?

    0 comments
  3. Q&A Assist
    2026-05-08T08:07:41.5166667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Windows Hello for Business itself is the multi-factor authentication: it combines a device-bound key (something you have) with a PIN or biometric (something you know/are). In a standard, supported deployment, users are not prompted for both an AD password and Windows Hello in the same sign-in; Windows Hello replaces the password as the interactive factor.

    From the provided information:

    • Windows Hello for Business uses a two-factor method that combines a device-specific credential with a biometric or PIN gesture, tied to an identity provider such as Microsoft Entra ID or Active Directory.
    • After initial two-step verification during provisioning, Windows Hello is set up on the device and the user sets a gesture (biometric or PIN). Windows then uses Windows Hello to authenticate users instead of passwords.
    • Authentication is based on a key or certificate tied to the device plus a PIN or biometric. The PIN/biometric unlocks the private key, which is then used to sign data sent to the IdP (AD/Entra/other). The password is not part of this flow.
    • The PIN or biometric is not sent to the IdP and the PIN is not stored on the device; they are only used as user-provided entropy to unlock the key material.
    • Provisioning Windows Hello for Business itself requires users to perform multifactor authentication (for example, MFA via AD FS or Entra ID) before enrollment, but after enrollment, Windows Hello is the MFA mechanism.

    Therefore, with Windows Hello for Business integrated with Active Directory:

    1. Users perform MFA once to provision Windows Hello for Business.
    2. After provisioning, users sign in with Windows Hello (PIN or biometrics) on a registered device.
    3. That sign-in is already two-factor (device-bound key + PIN/biometric) and is treated as strong, phish-resistant authentication.

    The scenario where a user is prompted in the same session for both:

    • AD password, and
    • Windows Hello (PIN/biometric)

    is not described or supported in the provided material. The documented and supported model is that Windows Hello for Business replaces the password as the interactive factor, rather than being combined with it in the same logon sequence.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.