Windows Hello: Frequently Asked Questions (FAQ)

Summary

Windows Hello is a multi-factor authentication option available for managed Windows 10/11 computers joined to the USNH domain. Windows Hello is a more personal and secure way to sign in to your Windows device. With Windows Hello you have options to sign in using facial recognition, fingerprint, or a PIN as well as your password. These options are only associated with that one device, and are backed up for recovery through your Microsoft account. Configuring Windows Hello also permits login to SSO-enabled websites and services using these factors, generating a more convenient and secure login experience.  Windows Hello will be enabled for individual-use USNH-managed Windows computers during Summer 2025.

 

Questions

Q1Why is a PIN better than an online password? 

Q2 - Can't I just use my password?

Q3I’m worried about my biometric data, where is my info going? 

Q4What happens if someone steals the device?

Q5How many users can enroll for Windows Hello on a single device? 

Q6Can this be used on a Mac? 

Q7Can we deploy this to student PCs? 

Q8 - Is Windows Hello optional?

 

Answers

A1 - Why is a PIN better than an online password?

PINs are local to the machine. A bad actor learning your PIN would also require access to your machine in order to then access your information. A user’s PIN can not be used to access their online account without also having physical possession of their machine.

Back to Questions

 

A2 - Can't I just use my password?

Once Windows Hello is turned on your machine, it is required to at least make a PIN as an MFA factor. If a user does not wish to use Windows Hello after making their PIN, they can select the Sign-In Options on their Windows Login page and select Password to continue using their password instead. This will also function as a way to allow a user to sign into their machine in case they have forgotten their PIN.

Back to Questions

 

A3 - I’m worried about my biometric data, where is my info going? 

Biometric data used by Windows Hello is stored on the device itself. It is stored in an encrypted format that only Windows Hello can decrypt, and it does not roam nor is it accessed externally. No user or process other than Windows Hello has access to this encrypted data.

Back to Questions

 

A4 - What happens if someone steals the device? 

The physical device is still locked down by its second factor. In order to log in, a bad actor would either need to be able to spoof the user’s biometric information (which is extremely difficult due to the technologies involved) or have prior knowledge of the user’s PIN. Simply having the device does not permit access to the user’s account. 

Back to Questions

 

A5 - How many users can enroll for Windows Hello on a single device?

Windows Hello has a hard limit of 10 profiles on a machine. Due to this limitation, and the fact that the credentials are device-specific, we recommend that it not be used on shared machines.

Back to Questions

 

A6 - Can this be used on a Mac?

No, Windows Hello is exclusive to the Windows operating systems.

Back to Questions

 

A7 - Can we deploy this to student PCs?

Windows Hello through USNH can only be deployed to machines that have been joined to the USNH domain(s). If a personal device is joined to the domain, Windows Hello could theoretically be deployed to it. However, we recommend against this because if the device is ever removed from the domain (such as after graduation), the user would be locked out of their machine and the computer unusable.

Back to Questions

 

A8 - Is Windows Hello Optional?

If Windows Hello is deployed to a machine, it is non-optional. A user must at least set up a PIN if they log into the device. The user may choose to continue to use their password to log in and not use their PIN going forward. 

Back to Questions

 

Further Readings

Windows Hello: Configuring Windows Hello on Managed Windows Computers

 

Need additional help?

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.