Skip to main content

Enable Windows Hello to support device passkeys for Enthuse Identity

How to enable Windows Hello to support device passkeys for Enthuse Identity

Written by Rishika Bhalla

Why device passkeys might be blocked

Some organisations don’t have Windows Hello (or Windows Hello for Business) turned on for staff devices. When it’s disabled, Windows can prevent the browser from using the built-in security feature that creates and uses device passkeys.

If Windows Hello isn’t available, users can still sign in using:

  • Mobile passkeys (on a phone)

  • Magic links & MFA(sent by email)

But enabling Windows Hello gives users the smoothest and most secure sign in experience. It’s faster than entering a password or using MFA, and provides the most seamless and secure experience for Enthuse’s users.

Why allowing passkeys is worth it

Passkeys are the “gold standard” because they stop phishing

Passwords can be:

  • stolen in a data breach

  • reused across sites

  • guessed or cracked

  • tricked out of users, such as an email phishing scam

Passkeys work differently. Users don’t type a password. Instead, the device proves it’s really the user using strong built-in security (like Windows Hello PIN or biometrics).

Passkeys are also faster and easier to use. Signing in is just a quick face/fingerprint/PIN check; no typing long passwords, no resetting forgotten passwords, and fewer login interruptions.

Note: Passkeys are tied to the real website. Even if someone builds a convincing fake login page, a passkey won’t work on the wrong site. That’s a big reason passkeys are seen as the modern, phishing-resistant standard.

Passkeys are safe because the “secret” doesn’t leave the device

With a device passkey:

  • The sensitive part stays on the user’s device

  • The service (Enthuse Identity) stores only what it needs to verify sign-in

  • There’s no password stored that can be copied and reused elsewhere

Will this interfere with other SSO/MFA tools?

No. Enabling Windows Hello so staff can use device passkeys for Enthuse does not turn off or weaken your existing controls.

Windows Hello is a local sign-in method that unlocks secure keys on the device. It:

  • doesn’t disable your identity provider

  • doesn’t remove MFA requirements you already enforce

  • doesn’t change Conditional Access / device compliance policies

It simply allows the device to act as a secure authenticator when a user chooses to use a passkey. You’re adding a safer option for your organisation, not replacing your current security setup.

Check if you are able to enable Windows Hello

Sometimes you'll be able to enable Windows Hello without asking your IT teams.
To check, Follow these steps to set up Windows Hello.


1. Select Start on your computer and select Settings > Accounts > Sign-in options.

2. Under Ways to sign in, you'll see three choices to sign in with Windows Hello:

  • Select Facial recognition (Windows Hello) to set up facial recognition sign-in with your PC's infrared camera or an external infrared camera.

  • Select Fingerprint recognition (Windows Hello) to set up sign-in with a fingerprint reader.

  • Select PIN (Windows Hello) to set up sign-in with a PIN.

Learn more here

What you need to enable and allow

1) Enable Windows Hello / Windows Hello for Business

Make sure Windows Hello is allowed and set up for users (commonly via Intune/MDM or Group Policy).

Typical requirements:

  • Windows Hello (PIN/biometric) permitted

  • WHfB configured where applicable

  • TPM available/required (based on your policy)

Tip: When you enable Windows Hello for passkeys, allow all Windows Hello sign-in options where possible (for example: PIN, fingerprint, and face recognition). This gives users a reliable fallback. If a device doesn’t support biometrics (or biometrics aren’t available), they can still sign in quickly and securely using a PIN.

2) Allow passkeys (WebAuthn) in supported browsers

Device passkeys on Windows generally rely on:

  • Microsoft Edge or Google Chrome (modern versions)

  • WebAuthn/passkeys not blocked by browser policy

3) Allow the “platform authenticator”

Some environments block built-in authenticators (like Windows Hello) while allowing external security keys. If that’s the case, allow the platform authenticator so users can create/use device passkeys.

4) Be aware of common blocked setups

Device passkeys can be affected by:

  • Remote desktop / VDI environments

  • locked-down sign-in options / biometric restrictions

  • older Windows builds or restricted TPM access

Related Articles
Enthuse Identity & Passkeys
Enable Touch ID on a MacOS Device
Did this answer your question?