Windows Hello for Business Authentication Certificate Lifecycle

Renewal of the certificate will occur in the background automatically when the certificate nears the expiration period. But for the certificate to renew, it requires the user to be logged in to the machine. If the user misses the renewal period for some reason, the certificate will reach expiration.

During Windows Hello for Business Authentication certificate renewal, only the certificate information is updated (such as validity notBefore and notAfter) and asymmetric keys are not regenerated.

When the automatic renewal does not occur during the renewal period for some reason, the certificate will expire. But users should be able to log on to their machine using the Windows Hello credential for the first time after certificate reaches the expiration. After successful login, the operating system will try to re-issue the certificate in the background. If the user logs out of the machine before this takes place, the user will not be able to login using their Windows Hello credential, with a screen like below.

The user will need to login using Active Directory credential if this happens, but Windows Hello credential should be re- issued after some time automatically after successful login.

During re-issuance, only the certificate information is updated (such as validity notBefore and notAfter) and asymmetric keys are not regenerated.

When Windows Hello for Business Authentication certificate is revoked, the user will not be able to log in using their Windows Hello credential, with a screen like below.

The timing in which OS identifies that the certificate is revoked depends on the update time of CRL or OCSP, so it may not be reflected immediately after the certificate is revoked.

The user will need to reset Windows Hello credential by such method as using “I forgot my PIN” in the login screen. See below Reset for more details.

When the user resets their Windows Hello credential such as using “I forgot my PIN” in the login screen, the user will be re-provisioned, and the certificate will be issued again. Asymmetric keys will be regenerated, and the new certificate will be issued. However, this will not revoke the previous user certificate on DigiCert® Trust Lifecycle Manager.