How Windows Hello for Business works? It lets Windows 10 users who have devices with fingerprint readers or special cameras log into Windows via fingerprint or facial recognition.

Use cases: Client systems which joined to Kerberos based domains like Active Directory (AD) can use Windows Hello for Business authentication to replace password based authentication and still get full single-sign-on (SSO) access to the resources of the domain.

Vulnerability details: An authenticated attacker could obtain orphaned keys created on TPMs of the design vulnerability.The attacker pretend a user by using stolen private key to authenticate as the user within the domain using Public Key Cryptography for Initial Authentication (PKINIT).

Remark: PKINIT would provide a method to use Kerberos for authentication and get a Kerberos Ticket Granting Ticket (TGT) during the authentication so that network resources can be accessed with Kerberos/GSSAPI.

Official details: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190026