Windows Hello for Business (WHfB) plays a central role in Microsoft’s initiative toward passwordless authentication. It enables user authentication not only during system logon but also across emerging features such as Personal Data Encryption, Administrator Protection, and Recall. Rather than depending on traditional passwords, Windows Hello employs a PIN or biometric methods (such as fingerprint or facial recognition) to unlock cryptographic keys secured by the Trusted Platform Module (TPM).

This presentation is supported by extensive reverse engineering of WHfB. We analyze the mechanisms behind biometric facial recognition; whereas previous research has primarily addressed the outer layers of the biometric service, our work offers an in-depth examination of the biometric unit itself and highlights how weaknesses within the biometric storage subsystem can compromise domain security. We demonstrate that the architecture of WHfB places the fundamental safeguard of local device security - biometric data - at risk. Consequently, this undermines a core principle of domain security: the assurance of secure authentication.

We demonstrate how the integrity and confidentiality of biometric data are enforced and how these protections can be circumvented. This grants both the ability to view and modify biometric data. Nonetheless, we aim to offer practical value and conclude with guidance on configuration and monitoring strategies to help detect and mitigate these issues.