EN 
06.10.2024 Hanuš WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Windows Hello for Business - uživatelské nastavení a používání

Windows Hello for Business - user settings and usage

Edited 12.06.2023 08:00 | created | Petr Bouška - Samuraj |
Windows Hello creates a login credential (an asymmetric key pair, often protected by a TPM) for a user account in Azure AD (or AD) that is hard-coded to a specific device. The user sets a fingerprint (most often) to log in, with a PIN as a backup. In this article, we will describe the process of enrolling (Provisioning) Windows Hello on a device. It can take place during the first login after power on or via Windows settings. We will mention logging in and resetting the PIN.
displayed: 2 860x (2 806 CZ, 54 EN) | Comments [2]

Note: The third part of the miniseries, which focuses on Windows Hello for Business with the deployment of Cloud Kerberos Trust in a hybrid environment with Hybrid Azure AD Joined devices.

Provisioning Windows Hello for Business

Conditions for Correct Registration

To register Windows Hello for Business, several conditions must be met:

Note: We consider a hybrid environment.

  • we log in directly to the device (not remotely) and the configuration (policy) for Windows Hello Provisioning is applied
  • we have functional network communication to Microsoft (Azure AD)
  • we have functional communication to the domain controller (if we use Group Policy and for the first login)
  • we have multi-factor authentication (MFA) set up
  • functional TPM chip (if required)
  • minimum version of Windows 10 21h2 (with KB5010415 installed) or Windows 11 21h2 (with KB5010414 installed)

Verification of Prerequisites and Logs on the Device

If the conditions are met, the Provisioning process (registration) of Windows Hello for Business starts immediately after the user logs in. At the moment when the profile is loaded, but before the user gets their desktop, they are prompted to set up Windows Hello. The basic condition is to enable Windows Hello for Business (with Provisioning enabled). For the registration initialization to proceed, the device must have access to account.microsoft.com.

Information about registration and prerequisite check can be found in the log on the client. Using Event Viewer, open

Applications and Services Logs - Microsoft - Windows - User Device Registration - Admin

We can search for the event Event ID 358, which may look like this.

Windows Hello for Business provisioning will be launched. 
Device is AAD joined ( AADJ or DJ++ ): Yes 
User has logged on with AAD credentials: Yes 
Windows Hello for Business policy is enabled: Yes 
Windows Hello for Business post-logon provisioning is enabled: Yes 
Local computer meets Windows hello for business hardware requirements: Yes 
User is not connected to the machine via Remote Desktop: Yes 
User certificate for on premise auth policy is enabled: No 
Machine is governed by none policy. 
Cloud trust for on premise auth policy is enabled: Yes 
User account has Cloud TGT: Yes

Various information is also displayed by the command dsregcmd /status (help dsregcmd). In the User State section, there is an item NgcSet, if it is YES, it means that the logged-in user has a set Windows Hello key (there is also an item CanReset, which informs about the possibilities of PIN reset).

If the device does not have Windows Hello For Business registered, there is a whole section Ngc Prerequisite Check, which displays information about the prerequisite check. NGC stands for Next Generation Credential.

C:\>dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+
          AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : FIRMA
               Device Name : test.firma.local
...
+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+
                    NgcSet : NO
...
+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+
            IsDeviceJoined : YES
             IsUserAzureAD : YES
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : YES
            CertEnrollment : none
              PreReqResult : WillNotProvision

We can verify if we have obtained a partial TGT from Azure AD.

C:\>klist cloud_debug

Current LogonId is 0:0xd1631
Cloud Kerberos Debug info:
Cloud Kerberos enabled by policy: 0
AS_REP callback received: 1
AS_REP callback used: 1
Cloud Referral TGT present in cache: 0
SPN oracle configured: 0
KDC proxy present in cache: 0
Public Key Credential Present: 1
Password-derived Keys Present: 0
Plaintext Password Present: 0
AS_REP Credential Type: 2
Cloud Primary (Hybrid logon) TGT available: 1

Logs of using Windows Hello for Business are located in Event Viewer

Applications and Services Logs - Microsoft - Windows - HelloForBusiness - Operational

We can display information about TPM

TpmTool GetDeviceInformation

First Login After Enabling Provisioning - Setting Up Windows Hello

The exact process of registering Windows Hello For Business depends on a number of circumstances. How the policy is set, what hardware is available on the computer, whether the user has an Azure AD account connected, etc. A simple wizard guides us through the entire process.

Note: I did not find descriptions of various special situations, such as when certain communication is not available, so I tried to test it. In practice, I also encountered that some Windows Hello registration page had broken formatting and missing images.

Upon first login, a page with information about configuring Windows Hello For Business will appear. If we have some HW for biometrics available, the first step is its configuration.

Note: Interestingly, this configuration is available even if we do not have any network connection at this moment. If we set up a fingerprint, the configuration will proceed. We will not get a dialog to set up a PIN (of course, nothing will be set in Azure AD). After logging into Windows, a status message will appear stating that Windows Hello is set up and we should set up a PIN.

Most commonly, we can set up a fingerprint (during configuration, we must repeatedly place or swipe our finger on the sensor).

Windows Hello for Business  - registrace 1

If we have more options available, facial recognition or fingerprint, we choose the method we want to configure.

Windows Hello for Business  - registrace 2

We start the setup by clicking the Set up button. We can skip it using Skip for now. This will take us to the second step, but the biometric methods configuration will not be automatically offered again (we can do it manually in Windows settings).

The second step appears if communication with Microsoft is available. The Use Windows Hello with your account page will appear, informing us that the organization requires us to set up our Azure AD account (Work or School Account) along with Windows Hello. We only have the option to click OK.

Note: This screen does not appear in all cases; sometimes it goes directly to setting up the PIN.

Windows Hello for Business  - registrace 3

Next is the configuration of the Windows Hello PIN. First, it is necessary to sign in with the Azure AD account using MFA (valid for 10 minutes). Then the data is written to Azure AD.

Windows Hello for Business  - registrace 4

Then we set up the PIN. If we want to use letters and symbols (not just numbers), we check Include letters and symbols.

Windows Hello for Business  - registrace 5

Finally, we get a message that everything is set up - All set. We confirm with OK and are logged into Windows. For the first login (Hybrid Azure AD Joined device) using Windows Hello (biometrics or PIN), the domain controller must be available. In other cases, cached login can be used.

Setting Up (or Changing) Windows Hello (without provisioning)

Configuration and possible changes are made in Windows settings

  • Settings - Accounts - Sign-in options

Here we can set up and add additional sign-in options, fingerprints, change PIN, etc. Windows informs us which methods are allowed and available. We must be logged in directly to the computer (not via RDP) and Windows Hello must be enabled.

Windows Hello for Business - Sign-in options

If the policy that allows Windows Hello has been activated and there has not yet been a login, we can set up the methods manually. Or if we have disabled post-login registration in the policy (Do not start Windows Hello provisioning after sign-in), we can perform the registration manually at any time or using a third-party application.

Windows Hello for Business - Sign-in options Fingerprint

If we have a fingerprint reader available, we can start with Windows Hello Fingerprint. A wizard will start where we set up the fingerprint (or several, during configuration we must repeatedly place or swipe our finger on the sensor). Or we use Windows Hello PIN (description continues in the next step).

Windows Hello for Business - registrace otisku prstu

If we have not previously set up a PIN, we must set it up subsequently.

Windows Hello for Business - nastavení PIN

It is necessary to sign in with the Azure AD account using MFA (multi-factor authentication, valid for 10 minutes).

Windows Hello for Business - přihlášení Azure AD účtem

We enter our PIN. If we want to use letters and symbols (not just numbers), we check Include letters and symbols.

Windows Hello for Business  - Set up a PIN

Signing in with Windows Hello

When signing in, one verification method is set as default. We can use the fingerprint directly (we do not need to activate the screen). If we want to use another method, we click on Sign-in options and choose one of the available methods.

Windows Hello for Business - přihlášení a Sign-in options

Note: For the first login using biometrics or PIN, the domain controller must be available. In other cases, cached login can be used.

Changing or Resetting the PIN

We can change our Windows Hello PIN. If we forget it, we can perform a reset, where we sign in and verify using MFA and set a new PIN.

From Windows Settings

We can initiate a change or reset of the PIN from Windows settings

  • Settings - Accounts - Sign-in options
  • click on Windows Hello PIN
  • Change - change the PIN
  • I forgot my PIN - reset the PIN
Windows Hello for Business - Sign-in options změna PIN

From the Sign-in Screen

Resetting the PIN also from the sign-in/lock screen

  • if the PIN method is not selected, use Sign-in options and select the keyboard icon
  • click on I forgot my PIN
  • sign in using your password
  • go through the PIN registration process
Windows Hello for Business - I forgot my PIN

Remote Desktop - connecting to a remote desktop

Windows Hello for Business is used for interactive (local) sign-in to the computer. When signing in to the computer remotely (Remote Desktop), another authentication method (password) must be used.

If we are signed in to the computer using Windows Hello for Business, we can connect remotely to another computer using Remote Desktop Connection from this computer. The system tries to use the Windows Hello certificate, which does not work for remote sign-in. It is necessary to click on More choices and select sign-in with a username and password. We may have a special certificate for remote sign-in issued in the system, which is protected by Windows Hello for Business. It displays the information Security device credential.

Windows Hello for Business - RDP se Smart Card Logon certifikátem 2
Author:

Related articles:

Azure AD / Entra ID identity and authentication

Articles related to user and device identity (not only) in Microsoft Entra ID. Different login and authentication options. Areas such as modern authentication, multi-factor authentication, password-less login, etc. Often involving the use of FIDO Authentication, for example using the FIDO2 security key or Windows Hello for Business.

FIDO Authentication

FIDO authentication is based on the FIDO2 standard (WebAuthn and CTAP2). It brings a more secure option to log in to online services. It belongs to Passwordless MFA (multi-factor authentication without a password). At the same time, it increases the convenience of users (it supports the use of biometrics). These are, for example, Windows Hello for Business, FIDO2 security key and generally passkeys (access keys).

If you want write something about this article use comments.

Comments
  1. [1] Jan

    ahoj, diky za tenhle clanek! Resil jsem ted hybrid a clanek mi pomohl.

    Tuesday, 05.12.2023 10:46 | answer
  2. [2] katka

    parada u nas uz nasadene , skvely clanok

    Thursday, 07.12.2023 12:25 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)