Overview

---

Individual UC San Diego departments can decide whether to enable Windows Hello for Business as a strong‑authentication option for devices that access Active Directory (AD) or Entra ID resources. This applies to all faculty, staff, students, and affiliates using UC San Diego managed Windows devices that are joined to AD or Entra ID. 

Critical Concepts

---

• Windows Hello for Business (WHFB): TPM‑based biometric or PIN credential that can replace passwords for device sign‑in and resource authentication.

• Active Directory (AD): On‑premises directory used for traditional UC San Diego services (VPN, RESNET‑PROTECTED Wi‑Fi, etc.).

• Entra ID: Cloud‑based identity platform supporting Exchange Online, Microsoft Teams, and other SaaS applications.

Steps to Take

---

Optional Adoption

• Each department may elect to enable WHFB for its users. The decision is documented in the department’s technology plan and communicated to its constituents.
• Departments that do not adopt WHFB must continue to use standard password‑based authentication.

Device Management Requirement

• Any device that uses WHFB must be enrolled in Microsoft Intune MDM so that required security software (Qualys VM, Trellix EDR) and network certificates are applied: IT Services - Intune Installation Guide: Windows
• The Intune enrollment process is described in the Windows installation guide: IT Services - Intune Installation Guide: Windows

Authentication Coverage

• AD‑joined devices: WHFB can replace the AD password for local log‑on and for Kerberos/NTLM authentication to AD‑protected services.
• Entra ID‑joined devices: WHFB can be used for cloud sign‑in to Entra ID and for Single Sign‑On to Office 365 and other SaaS applications.

Security Alignment

• WHFB satisfies UC SD’s Multi‑Factor Authentication (MFA) requirement because it combines “something you have” (the TPM) with “something you know/are” (PIN or biometric): IT Services - Setting Up Outlook for Gmail on Windows
• Devices must retain the university‑required security posture (e.g., up‑to‑date OS, enabled firewall, approved antivirus).

Roles & Responsibilities

• Department Technology Leads: Determine WHFB adoption, update the department’s security documentation, and ensure users receive guidance on enrollment and use.
• ITS Security Team: Publish and maintain the WHFB guidance.
• ITS Intune Team: Provide the Intune enrollment guidance and monitor compliance through Intune dashboards.
• End Users: If the department opts‑in, follow their department’s provided steps and configure WHFB; otherwise, continue using password credentials.

Support

• Users adopting WHFB may contact their department’s IT support for enrollment assistance, credential reset, or device loss reporting.
• Department IT support staff may contact ITS Service Desk for escalated Intune assistance, or end-user device troubleshooting.
• Documentation for checking Intune enrollment and troubleshooting is available in the “How to Check for Mobile Device Management” guide: IT Services - How to Check for Mobile Device Management (MDM)

Review & Revision

• This notice is reviewed when major changes occur to AD, Entra ID, or Windows Hello technology. Departments must re‑evaluate their adoption status during each review.