What Windows Hello for Business is
Windows Hello for Business is the managed, enterprise mode of Windows Hello — Microsoft's biometric/PIN sign-in for Windows 10 and Windows 11. Under the bonnet it generates an asymmetric key pair on the device's TPM, registers the public key with Entra ID (and optionally Active Directory), and unlocks the private key locally with a biometric or PIN. There's no password sent over the wire, no shared secret on the server, and the credential is bound to the device — which is what makes it phishing-resistant and qualifies it for the highest tier of Conditional Access authentication strength.
Cloud trust vs key trust vs certificate trust
Three deployment models exist. Cloud trust (the modern default since 2022) uses Entra Kerberos and is the simplest to deploy — no certificates, no PKI, works for hybrid-joined and Entra-joined devices. Key trust is the older Entra-native model that doesn't need certificates but does need a domain controller schema update for hybrid. Certificate trust uses your internal PKI and an issuing CA — heaviest to deploy but the only option for some legacy app smartcard integrations. For AU mid-market with no smartcard estate, cloud trust is the right answer and the other two are legacy.
Why WHfB matters for phishing-resistant MFA
Australia's regulators (ASD, APRA) and Microsoft's own guidance now position phishing-resistant MFA as the baseline — and Windows Hello for Business is the cheapest, most-deployed instance of it. A user with WHfB enrolled and a Conditional Access policy requiring authentication strength 'phishing-resistant MFA' cannot be tricked into approving a malicious sign-in via push fatigue, OTP relay or MFA bypass. The credential simply doesn't exist on any phishing page — it's locked in the device's TPM. WHfB plus FIDO2 hardware keys for break-glass admin accounts covers most of the phishing-resistant MFA estate without buying anything new.
Prerequisites and rollout sequence
WHfB needs Windows 10 1809+ or Windows 11 (cloud trust requires 21H2 minimum), TPM 2.0 (effectively every business device sold since 2018), Intune for policy delivery, Entra ID joined or hybrid-joined devices, and Entra Kerberos enabled (for cloud trust). Frontrow's rollout pattern: enable WHfB via Intune policy on a 20-device pilot, validate the PIN/biometric enrolment flow works on each Windows build in scope, layer a Conditional Access policy requiring phishing-resistant MFA for sensitive apps (admin portals, finance systems) after one week, then expand the policy to all M365 sign-ins after a month of clean logs.