Introduction
In this article, we will discuss Microsoft Windows Hello for Business’ password-less authentication features and guide you on deploying it for organizations that use cloud identities. We’ll explore the tech details and benefits of Windows Hello for Business, specifically for those using Entra-Only Identities and Microsoft Intune for device management.
Microsoft Journey to Passwordless Authentication
Microsoft is working hard to end the era of passwords for organisation and is working on a four-step approach to achieve that goal. The first step is to deploy Windows Hello for Business or FIDO2 security keys as an alternative solution to passwords. The second step is to reduce the password surface area by eliminating password prompts and deconditioning users from providing passwords. The third step is to transition users into a password-less environment where they never type, change, or know passwords. The final step is where passwords don’t exist, and identity directories don’t store any form of password. The journey to becoming password less is a gradual process that varies for each organisation.
What is Windows Hello for Business?
Windows Hello for Business is a password-less authentication solution by Microsoft. It allows logging in to Windows without traditional passwords, using Active Directory and Microsoft Entra account.
This method uses hardware and software technologies for secure authentication. It authenticates to Microsoft Entra ID using the key, not a certificate. Users can authenticate themselves with biometric information (Fingerprint, facial recognition or iris recognition) or a PIN. PIN and biometric data are stored only on the device and can’t be accessed by anyone else or any service.
Benefits
Windows Hello for Business enhances protection against credential theft by necessitating both the device and a biometric or PIN for access. It eliminates the possibility of phishing and brute force attacks, and the use of asymmetric credentials generated within isolated environments of TPMs prevents server breaches and replay attacks. Users enjoy a convenient authentication method that is always accessible and accompanied by a PIN, with no risk of losing it.
Practical Example
In this scenario, I have set up a Microsoft 365 Tenant for you to simplify the process of deploying Windows Hello for Business. Additionally, I have implemented a baseline security policy as well. To make it better understanding, I have made a short video showing you the current Microsoft 365 Tenant details. In this video you will be able to see: –
- M365 Organisation Name
- Licenses and Subscriptions
- Registered domains
- Authentication Methods | Policies
- Authentication methods | Password protection
- Password reset | Properties
- Password reset | Authentication methods
- Password reset | Registration
- Password reset | Notifications
- Org settings | Security & Privacy | Password expiration policy
- Org settings | Security & Privacy | Pronouns
- Multifactor Authentication | Service Settings
- Devices | Enrollment | Automatic Enrolment
- Devices | Enrollment | Enrollment notifications settings
- Devices | Compliance | Policies
- Devices | Conditional access | Policies
- Devices | Conditional Access | Named locations
Implementation Steps
There are multiple techniques available to enable and configure Windows Hello for Business. However, this demonstration focuses on two things.
- Enable and Configure Windows Hello for Business with Intune Device Configuration Profile.
- Enable and Configure Windows Hello For Business at the Tenant-Level.
Enable and Configure Windows Hello for Business with Intune Device Configuration Profile
With this approach, the admin can push Windows Hello for Business policy settings to Windows 10/11 devices enrolled in Intune. There are two types available when you create a Device configuration profile. The first is the setting’s catalogue, allowing you to build a profile from scratch. The second type uses the pre-configured Template, which might be helpful for administrators who don’t want to build the policies manually.
In this demo, we will choose a Template type to build a Windows Hello for Business policy and quickly push it to a set of users.
Alright, to create a policy, sign in to Microsoft Intune Admin Center–>Navigate to Devices–>Manage Devices–> Configuration.
After selecting the Template, you can start fill in the details in each section to complete the creation process. Additionally, you can adjust the settings value according to the specific needs of your business.
I’ve set up a policy to send out WHFB settings to a specific security group. Details are below
Basics
| Name | Windows Hello for Business Version 0.1 |
| Description | This policy is created to push Windows Hello for Business to all employees’ devices in the myforest3 organisation |
| Platform | Windows 10 and later |
| Profile type | Identity protection |
Configuration Settings
| Configure Windows Hello for Business | Enable |
| Minimum PIN length | 4 |
| Maximum PIN length | 10 |
| Lowercase Letters in PIN | Allowed |
| Uppercase Letters in PIN | Allowed |
| Special Characters in PIN | Allowed |
| PIN Expiration (days) | 90 |
| Remember PIN history | 5 |
| Enable PIN recovery | Enable |
| Use a Trusted Platform Module (TPM) | Enable |
| Allow biometric authentication | Enable |
| Use enhanced anti-spoofing, when available | Enable |
| Certificate for on-premise resources | Not Configured |
| Use security keys for sign-in | Not Configured |
Assignments
| Included groups | Windows Hello For Business Devices |
| Excluded groups | Not Applicable |
Check out this awesome video that shows you exactly how to create a WHFB policy.
End-user Experience for EntraJoined/Intune devices
We have created a Windows Hello for Business device configuration policy and pushed it to the devices’ security group. We will use a Windows 11 virtual machine for the demo. Although the machine doesn’t support biometric gestures, we can still create a PIN and make it work. I have created a video to show how users can set up a PIN after the policy is pushed to their device.
Enable and Configure Windows Hello For Business at the tenant-level
If you’re thinking about setting up Windows Hello for Business at the Tenant-level, there are a few things you should keep in mind. Don’t worry, I’ve got you covered with some key considerations. Check them out below!
- It’s worth noting that any tenant-wide policy implemented will not affect devices that have already Enrolled Windows Hello for Business.
- This policy will be applied to only supported Windows 10/11 devices.
- When you enroll/onboard Windows 10/11 devices into your organisation, the tenant-wide policy is automatically applied to all those devices only.
- If you’re looking to implement password-less solutions (WHFB) across your organisation quickly, you may adopt this approach. Once the enrollment is complete, you can safely disable the tenant-wide policy and enjoy the benefits of it.This approach can save time and effort for the users and administrators.
- It’s important to note that a subscription to Entra Premium (P1/P2) is not required for the implementation of Windows Hello for Business.
- Default Windows Hello for Business config applied with lowest priority to all users regardless of group.
Alright. Let’s dive into setting up Windows Hello for Business for our entire organisation,myforest3.com, by configuring it at the tenant level.
To do that, sign in to Microsoft Intune Admin Centre-> Navigate to Devices-> Device Onboarding-> Enrollment->Windows->Enrollment Options-> Select Windows Hello for Business.
You might have some queries: Does this policy include all the options available in the Device Configuration policy? Almost, with the exception of Enable PIN recovery, Allow Phone sign-in and Enable enhanced sign in security.
To set up and configure Windows Hello For Business for Tenants wide, please refer to the video tutorial below. The video tutorial will guide you through the necessary steps
End-user Experience during device onboarding
Check out this short video of the Windows 11 Out-Of-Box Experience on a virtual machine. The virtual machine has been set up to match the experience of a physical computer.
Conclusion
Windows Hello for Business is the authentication solution developed by Microsoft, aims to provide secure and password-less login experience on Windows 10/11 devices. With Windows Hello, you can log in with just a look or a touch, as it uses advanced biometric authentication technologies such as facial recognition, Iris Recognition and fingerprint scanning. To use Windows Hello, you need a device with a compatible camera,Holo Lens2 or fingerprint reader.
This means that you should choose hardware vendors or computer manufacturers that offer integrated Windows Hello-compatible cameras and fingerprint readers that can accurately identify your unique biometric features. By using Windows Hello for Business, you can enjoy a more secure and efficient login experience without having to remember complex passwords or worry about security breaches.
Thanks for reading my post! If you liked it, don’t forget to subscribe to my blog for more awesome content.
Recent Comments